For years, government hackers in Iran and the US went after one another with a vengeance. The US destroyed nuclear centrifuges, the Iranians threatened dams, and bled tens of millions of dollars from private institutions caught in the crossfire.
Then the cyberwar, never announced, stopped. Now, as President Donald Trump threatens to walk away from the Iran nuclear deal — and unspoken cyber truce — there are fears the war might reignite.
It could be costly. The last known time that Iranian hackers significantly damaged an American target, in 2014, it cost American gambling mogul Sheldon Adelson millions.
Adelson, a friend of Israeli Prime Minister Benjamin Netanyahu and a major Republican donor, had been highly critical of the Obama administration's attempts to negotiate an end to Iran's nuclear weapons program. Then, on Oct. 22, 2013, at Yeshiva University in New York City, he went a step further, suggesting that instead of talking, the US should bomb the Iranian desert. If that wasn't enough to bring the Iranians to heel, he said, then the US should nuke Iran's capital.
“The next one is in the middle of Tehran,” Adelson said. “So, we mean business. You want to be wiped out? Go ahead and take a tough position and continue with your nuclear development.”
The Iranians fired back, but quietly. Within a month, Iranian hackers were probing the systems of Adelson's Las Vegas Sands casino, and by Feb. 9, 2014, they'd acquired the login credentials of a senior computer systems engineer. The next day, thousands of computers on Sands networks were wiped clean of files.
The hackers were straightforward about why, defacing one Sands site with a photo of Adelson with Netanyahu and placing a warning on another: “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime.”
Simply recovering data and fixing and replacing equipment cost an estimated $40 million, according to a Bloomberg investigation of the hack.
It was a classic Iranian approach to cyberwar. First, it featured Iran's preference for “wipers” — malware that deletes files en masse after infecting computers. It also was retaliation for a perceived offense. Adelson had cavalierly talked about Iranian nuclear annihilation. So Iran hit him in the wallet and made it clear why.
“They put great emphasis on tit-for-tat, measure-for-measure type of action,” Michael Eisenstadt, director of the Washington Institute's Military and Security Studies Program and an expert on Iran, told BuzzFeed News.
“From their point of view, justice is poetic, and when they’re responding, they’re responding in a way that makes the connection to the initial challenge or provocation from their point of view,” he said. “There’s a lot of logic in connecting it to perceived provocations.”
Since the attack on the Sands, however, there have been no known major destructive attacks by Iranian hackers against an American target. That’s not to say Iranian hackers haven't conducted cyber espionage against the US, Israel, and Saudi Arabia, or that those countries haven’t responded in kind. But it's been nothing like the years that preceded the Sands attack.
Famously, the US, in conjunction with Israel, eager to hamper Iranian development of nuclear weapons, developed one of the most destructive cyberattacks ever revealed, the Stuxnet worm, and deployed it in 2008. For two years before it was discovered, it caused an estimated 1,000 Iranian centrifuges to malfunction and destroy themselves, setting back Iranian nuclear research by a year or more. Then the US imposed additional sanctions against Iran in 2010 and 2011.
In return, Iranian hackers began a series of distributed denial of service (DDoS) campaigns — relatively unsophisticated attacks that overwhelm a network with traffic and knock it offline — against major US financial institutions, including Bank of America, Citigroup, and PNC. All told, 46 companies were hit between late 2011 and early 2013, causing tens of millions of dollars in damage.
Those finance-focused DDoS attacks are regarded as Iran again creating what it saw as a justified, in-kind retaliation, said Michael Daniel, who was the White House cybersecurity coordinator for the latter half of Obama’s presidency.
“The conclusion is the Iranians viewed denial of service attacks as completely proportional to the economic sanctions they were experiencing,” Daniel told BuzzFeed News. “From their point of view, they were retaliating against economic aggression against them."
It’s unclear to what extent it was inspired by Stuxnet, if at all, but in 2013 Iranian hackers also accessed the online control panels of a small dam in Rye, New York, that were left relatively unsecured.
“I don’t know necessarily that they were like, ‘we need to go after the dam in New York,’” said Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike, which has tracked Iranian hacking for years.
“I think largely they were looking for targets of opportunity. If they can get into one of them, then they’ll call it a win and they’ll be able to use that to demonstrate to themselves and their leadership that they have the capability.”
The intrusion caused no damage — at the time, the dam controls were disconnected from the internet for maintenance — and the hackers didn't claim their attack for two years. But the threat that a hacker could damage US infrastructure, long a fear of federal officials, provoked the US in 2016 to employ its rarely used tactic of naming seven Iranians it deemed responsible and charging them with crimes, despite the unlikelihood of Iran ever extraditing them.
By then, things had quieted down. Negotiations for the Joint Comprehensive Plan of Action, the Iran nuke deal that eased US sanctions and directed Iran to slow its nuclear enrichment, had been completed, and the deal was being implemented. Iran tuned its cyber attentions elsewhere, largely to its neighbor and rival, Saudi Arabia.
An end of Iranian cyberattacks was never the intent of the nuclear deal, though it may have been a benefit, said Robert Malley, the senior White House negotiator on the nuclear deal and now a vice president at the International Crisis Group, a think tank that encourages nations to engage in diplomacy to solve problems.
“The nuclear deal was never premised on the notion that it would alter their behavior,” Malley told BuzzFeed News. “Rather, it was based on the notion that blocking Iran's path to a nuclear weapon was all the more critical given their behavior.”
Iran didn’t stop hacking, of course. “They shifted their more active operations to targets in the region,” Daniel, the Obama-era cybersecurity coordinator, said, with Saudi Arabia becoming the primary target. “You could conjecture a variety of reasons for why they might do that, but that’s a fair characterization of what happened.”
Daniel declined to say whether the US had engaged in later cyberattacks against Iran that have not been revealed to the public — such information would be classified. But Iran, at least, hasn’t found reason to publicly retaliate in that time.
Saudi Arabia hasn’t been so lucky. Iranians are blamed for continuous attacks on Saudi government computers and telecommunications facilities, said Meyers, who also is a former manager of the State Department's State Cyber Threat Analysis Division.
But the US hasn't been attacked in the same way, though Iranians do conduct surveillance of US targets, something Meyers said they've done for 10 years.
“That has focused primarily on a couple of topic areas," Meyers said. "Dissidents outside and inside Iran has been a continuous target, aerospace defense sector has been a continuous target, and political intelligence sources, think tanks, things . . . that have insight into US policies.”
Recent analysis by FireEye, another prominent cybersecurity firm, found that a new Iranian state-sponsored hacking group, more sophisticated than those seen previously, has been aggressively spying on major oil companies and military contractors. Targets include companies based in the US and South Korea, but all had ties to Saudi Arabia. In each case, the hackers didn’t appear to use wiper malware to cause significant destruction, but they could have. They were essentially flexing their muscles, John Hultquist, FireEye’s manager of analysis, told BuzzFeed News.
“It’s gathering espionage,” he said.
The ceasefire between the US and Iran could easily resume if tensions between the two countries reach a breaking point, experts say. Trump's hinting that he might pull out of the 2015 nuclear deal could ratchet up tensions, especially as the war against ISIS, which saw Iran and the US essentially on the same side, winds down.
“If they believe the US is violating the deal, hurting their economy, or trying to undermine the regime's grip on power, regardless of the means we employ, Iran will respond,” said Malley, the Obama-era nuclear negotiator. "There's a fair possibility they would do so by targeting Americans and American interests in ways we have not witnessed in the past few years because they haven't considered it to be in their interest, because they didn't want to provoke a US retaliation.”
While both nations have plenty of tools at their disposal, including economic and diplomatic pressures, resuming cyberwarfare is clearly an option for both.
“There’s potential for this becoming an issue at any time,” Eisenstadt said. “We’re not there yet — I don’t know if it’s four months, six months, a year, year and a half down the road. But I think there’s a good chance we’re on a collision course, and I’m pretty sure cyber will play a role.”
Kevin Collier is a cybersecurity correspondent for BuzzFeed News and is based in New York.
Contact Kevin Collier at firstname.lastname@example.org.
Got a confidential tip? Submit it here.