 The global cyber threat environment, module 11, Iranian cyber operations background, objectives. Once you have completed the readings, lecture, activity, and assessment, you will be able to describe the effect that Stuxnet had on Iran's offensive and defensive cyber capabilities. Take the two main pillars of Iran's cyber strategy. Welcome to the global cyber threat environment, module 11. This lecture highlights two main pillars of Iranian cyber strategy, ensuring regime survival through surveillance and information disruption, and creating a well-trained cyber workforce able to engage in both offensive and defensive cyber operations. Iran's focus on developing sophisticated surveillance technologies was born from events during the country's 2009 presidential election. Fed up with arch-conservative policies of President Ahmadinejad, Iranian citizens voted in record numbers, and most polling suggested that a reformist candidate, Mir Hussein Musavi, had won. A few days after the voting, however, the Iranian government announced that Ahmadinejad was victorious by a landslide of 63% of the vote. Many Iranian citizens immediately determined that the election had been rigged, and within a few days, tens of thousands of Iranian youth took to the streets in protest. Government police met them ferociously, prompting the largest public protests the Iranian Republic had experienced since its founding three decades earlier, protests that were banned by the Iranian government. The government eventually regained control of the country, but only after kidnapping, torture and murder of many protest organizers. The Iranian government later researched the event to determine how the protests had spread so quickly. The answer? Nearly one million Iranian citizens had access to smartphones, enabling many to quickly record and share on sites like Facebook and Twitter, videos of protestors being shot or taken to jail by secret police. As a result, the government banned such social media sites. To avoid a repeat performance in the 2013 Iranian presidential election, government officials blocked access to virtual private networks as well so that citizens could not circumvent government firewalls to access the social media sites. This 2009 Green Revolution highlights the logic behind one of the two main pillars of Iranian cyber defense strategy – to ensure regime survival through widespread surveillance and blocking of information deemed subversive. One year later, the effects of Stuxnet, one of history's most powerful cyber weapons, prompted the development of the second pillar of Iranian cyber defense strategy, creating a well-trained cyber workforce for both offensive and defensive cyber operations. The Stuxnet computer worm was designed to affect specific types of industrial control systems manufactured by the Siemens company. The worm was introduced into a nuclear facility in Natan's, Iran, which housed giant centrifuges producing highly concentrated uranium used for nuclear weapon production. After working itself into the industrial systems controlling the centrifuges, the Stuxnet worm could vary the speed of the centrifuges while sending signals to Iranian controllers that they were spinning normally. Most uranium centrifuges must run at highly precise rates. The varying speeds exploded many of the centrifuges, and they had to be replaced. Initially, Iranian scientists believed that operator error or faulty design was to blame. Finally, in 2010, independent cybersecurity analyst investigating the situation determined that the centrifuges had been disrupted by a sophisticated computer worm. No individual or country has ever officially taken responsibility for producing Stuxnet. But the New York Times has reported that, based on its complexity and the likely expense involved in creating it, Stuxnet was almost certainly engineered by a technologically advanced nation state such as the United States. After Stuxnet, the year 2011 and 2012 saw additional malware intrusions into Iranian networks. The Duke malware discovered in 2011 is believed to be related to the Stuxnet worm. It exploited vulnerabilities in Microsoft Windows and likely was engineered to spy on computer systems. The flame malware discovered in 2012 likely also was engineered for spying, but it was much more sophisticated with abilities to capture audio recordings, keyboard activity, and network traffic and possibly even grab contact information from nearby Bluetooth-enabled devices. The flame malware infected computer systems throughout the Middle East, but Iran suffered the most. In response to these malware intrusions, the supreme leader of Iran ordered the creation of a supreme council of cyberspace to pull the country's cyber talent and stem the damage from the onslaught of malicious attacks. Iran's leadership, determined to prevent future attacks on Iranian critical infrastructure, has likely invested billions of dollars into training a cyber workforce and building cyber defenses. The Islamic Revolutionary Guard Corps, or IRGC, is an organization of elite military personnel with the capability to conduct various types of special warfare tactics, both on ground and in the cyber world. Although initial training in computer science and malware takes place within Iran's universities, the IRGC cultivates selected individuals into highly skilled offensive and defensive cyber warriors. Reports are that the IRGC cyber warfare program employs nearly 2,400 people. In addition to the IRGC program, Iran has created a Mahir Center for Information Security that operates as part of its Information Technologies Ministry. The Mahir Center defends Iranian governmental and military networks and conducts research into malware engineering, possibly for use in future attacks. In an offensive move, Iran launched multiple network reconnaissance campaigns to gain proprietary information about the critical infrastructure systems of more than a dozen countries. These efforts targeted oil and gas production, major defense contractors, airports, telecommunications, and even U.S. military installations. In August 2012, Iran initiated a massive counterattack against Saudi Arabia. Using the Shenoon virus, which was partially reverse engineered from the flame malware, Iran corrupted more than 30,000 computers in the Saudi oil company, or a Ramco. A month later, Iran slightly disrupted multiple U.S. banks and even the New York Stock Exchange via distributed denial of service, or DDoS, attacks. In 2013, Iranian hackers attempted to shut down a large flood control dam in New York state. The FBI has stated that the hackers were working on behalf of the IRGC, and the attack on a dam may have been in retaliation for the United States' suspected role in Stuxnet. The hackers purportedly attempted to access the dam's industrial control system, but could not do so because the system had been disconnected from the internet for routine maintenance. The attempt was unsuccessful, but demonstrates the move that Iran is making from a regional to a global cyber power. Although executing revenge attacks has been somewhat impressive in terms of ingenuity, none have seemed to require an exceptional degree of sophistication. However, experts are now concerned that Iran may develop its offensive cyber capability quickly and markedly. In January 2016, the United States, along with the international community, reached a deal with Iran on its nuclear program. As part of the deal, the majority of previous economic sanctions on Iran were lifted, including its ability to export oil and import advanced technologies. Because the country had already conducted damaging cyber attacks during the sanctions period, and with the effects of decades-long economic sanctions quickly dissipating, Iran will likely be a cyber force to be reckoned with in the near future. Quiz Question 1 – True or False Defeating the United States in an all-out cyber war is the goal of Iran's government. A. True B. False The answer is B. False Quiz Question 2 – True or False The Stuxnet worm specifically targeted computers associated with the Iranian Ministry of Interior. A. True B. False The answer is B. False Activity, whom do you think was behind the creation of the Stuxnet worm? Consider all the domains of knowledge one would have to know to create a worm as sophisticated as Stuxnet and write them down. For instance, what type of programmable logic controllers was used in the Natanz nuclear facility? What type of centrifuges was believed to be used? Include in your summary how you think the worm's creators managed to jump the air grab supposedly protecting the computers at the Natanz facility. After you have finished your list, estimate how many man hours it must have taken to create the code for Stuxnet.