伊朗上周向伊拉克的两个美国军事基地发射了20多枚导弹后不久,该国外交部长在推特上表示,伊朗已经“结束”了对少将·卡西姆·苏莱曼尼遇刺事件的“相称”回应。
美国军方很少有人对这一声明进行表面评价。伊朗可能会利用其在中东和其他地方的代理团体网络,加紧对美国的骚扰。如果以历史为鉴,这种反应将包括针对美国政府、公司和知名人士的网络攻击——甚至可能包括2020年的选举。
“我认为伊朗还没有完,”乔恩·贝特曼说,他是美国国防情报局前伊朗问题专家,现在是卡内基国际和平基金会的研究员。他说,大门是敞开的,“更隐蔽或更有可能被否认的后续行动”。网络经典是工具之一。”
尽管伊朗被认为不是世界上最可怕的网络威胁之一——它的项目落后于俄罗斯和中国——但该国仍然有能力造成巨大的破坏。它过去的网络攻击具有不可预测性的特点,不清楚近年来它的能力提高了多少。
网络攻击会给伊朗在美国造成多大的破坏?
十年前,伊朗经受住了一场复杂的网络攻击,使其核武器计划受挫。人们普遍认为,美国和以色列已经发射了一种智能惊人的恶意软件,名为“震网”,它小到足以安装在拇指驱动器上,但又足够智能,像热寻导弹一样通过互联网进入德黑兰戒备森严的核计划。震网不仅摧毁了用于制造炸弹级铀的铀离心机,还通过给监控设备的工程师制造一种虚假的常态假象来伪装自己——直到为时已晚。“伊朗...爱德华·斯诺登在2013年发布的美国国家安全局报告《拦截》中称。
苏莱曼尼遇害后紧张局势加剧,美国网络专家担心未来几个月伊朗支持的网络攻击。
最大的担忧是
伊朗最令人担忧的网络威胁是那些可能导致生命损失的威胁。在这方面,伊朗有能力利用黑客来支持某种常规军事行动,例如轰炸或暗杀个人或绑架。它还可以使用网络间谍活动或数据收集技术来监控中东地区的军队、船只或飞机的移动,并以他们为攻击目标。
为了进行有针对性的暗杀,伊朗需要汇集各种情报。用恶意软件感染手机会让它获得丰富的信息——包括潜在的目标的实时行踪。电话黑客可以提供专家称之为“生活模式”的信息——个人倾向于去哪里,什么时候去——这些信息可以用来预测目标的下落。通过获取电话、电子邮件、短信和联系人列表,黑客甚至可以操纵目标无意中进入陷阱。贝特曼说:“伊朗通过其代理人,甚至可能是直接,在国外进行了许多定点清除。”。“在2020年,这将包括一个网络元素。任何一个州都会使用它。”
在移动设备上安装恶意软件并不像你想象的那么难。最简单的方法是通过“社会工程”——欺骗目标泄露密码等泄露机密的信息,或者像2016年俄罗斯特工与克林顿竞选主席约翰·波德斯塔一样安装恶意软件。近年来,流行的消息应用WhatsApp和I消息存在“不点击”漏洞——软件漏洞允许黑客通过发送消息植入恶意软件,而不需要目标方采取任何行动。尽管这些特定的无点击漏洞已经被修补,但可能还有其他漏洞。众所周知,伊朗过去没有利用这些漏洞,但这并不意味着将来也不会。
虚假信息运动
另一个担忧是,伊朗可能会制造虚假信息,以煽动暴力。贝特曼说,最近几个月,伊朗支持的团体利用社交媒体分享关于美国军方的虚假数据——一个广为流传的说法是,美国海军陆战队逮捕了一名伊拉克议员。“激起对美国军队的愤怒和不信任,并煽动针对他们的暴力的行为将是令人担忧的,”他说。
尽管伊朗并没有像俄罗斯在2016年前所做的那样,建立起那种大规模的误导机构来制造分裂,但可以想象,如果伊朗愿意,它可以通过其他方式来影响2020年的选举。伊朗在入侵和进入计算机系统方面有很好的网络攻击能力。这些技能可能有助于发现和泄露敏感信息——类似于俄罗斯2016年对民主党全国委员会的黑客攻击。美国官员怀疑伊朗是幕后黑手2015年袭击贝特曼说,沙特外交部揭露了随后泄露的机密外交电报。
伊朗曾一度试图黑进特朗普竞选团队。10月份,微软报道称,一个名为磷的黑客组织(Phoepip)试图识别2700多个电子邮件账户,并攻击了其中的241个,包括一些与美国政治活动有关的账户。这华尔街日报后来据报告的受到攻击的竞选是特朗普的。在微软关闭之前,黑客们成功地闯入了四个账户,没有一个与此次活动有直接联系。微软在10月份的声明中表示:“这一努力表明磷的积极性很高,愿意投入大量的时间和资源从事研究和其他信息收集手段。”。
伊朗总统哈桑·鲁哈尼。德黑兰可能攻击美国政府或知名人士。
伊朗也可能对投票机构成看似合理的威胁。尽管美国的选举制度支离破碎,但伊朗可能会试图损害关键地区的投票基础设施,传播恐惧、不确定性和怀疑。破坏美国人对选举合法性的信心可能比篡改实际投票结果更不稳定。
专家表示,这种策略对伊朗来说不符合其性格,因为伊朗过去对美国的政治选举制度不太感兴趣。从伊朗的角度来看,美国两党的政策没有太大区别。贝特曼说:“伊朗经历了持续40年的两党一致认可的压力运动。”。“但索莱曼尼的遇害比美国以往的行动更具个人色彩,因为他与最高领导人[·阿约塔拉·阿里·哈梅内伊关系密切,所以我不排除有人试图让唐纳德·特朗普难堪或伤害他个人。”
软公司目标
对伊朗来说,扰乱企业既是其特征,也是其目前的网络能力所及。尽管伊朗无法与苹果、谷歌、脸书、亚马逊和微软等科技巨头取得很大进展,但无数其他组织容易遭到黑客攻击,包括许多银行、化工厂、炼油厂、制药公司、水处理计划和电网。在过去十年里,伊朗很可能一直在这类组织中安装恶意软件,并潜伏多年,直到合适的时机。“这叫做‘准备战场’”,纽约哥伦比亚大学计算机科学教授史蒂文·贝洛文说,他是国防组织的顾问。“你像睡眠细胞一样等待,直到你有三四个化工厂和两个发电厂,然后你就行动。”
恶意软件可能会根据伊朗的信号激活,然后进行协调的网络攻击。这可以采取多种形式。在一家发电厂,恶意软件可能导致涡轮机旋转不稳定,最终导致它们崩溃——这正是震网拆除铀离心机的方式——关闭部分电网。在一家制药公司,恶意软件可能会改变从工厂生产的药丸的剂量,造成恐慌。
专家称,伊朗不太可能发动一场导致重大生命损失的网络战争。例如,尽管它可能使用恶意软件来破坏发电厂,但它不太可能造成足以造成美国电网长期断电的大规模破坏。“一场真正的网络战争将摧毁关键的基础设施,杀死数百万潜在的人,”斯科特·博格说,他是一个专门研究网络安全的非营利研究组织——美国网络后果小组的主任。“如果我们完全在谈论真正的网络战争,伊朗没有能力。”
震网恶意软件也不太可能被伊朗工程师复制。这种武器需要的不仅仅是专家编程:它需要大量的情报收集来找出如何将病毒发射到伊朗核工程师已经安装在铀离心机中的精确计算机芯片上。专家认为,伊朗根本没有专业知识或资源来开发如此大规模的恶意软件。贝特曼说:“网络武器或恶意软件,并不像只是从街上捡起一把被人扔下的枪,然后装上子弹自己开枪那么简单。”。“网络操作是一系列复杂的事件,在这些事件中,你需要理解和渗透一个特定的目标,并努力达到你想要达到的特定效果。”
学习曲线
博格说,不利于伊朗网络能力的一个因素是对政府的不信任。尽管伊朗在计算领域拥有相当多的人才,但伊朗及其海外侨民中最有能力的黑客与阿亚图拉意见不一,因此他们拒绝合作。“伊朗黑客团体在政治上更加温和,”他说。"不变得有点国际化和温和,很难获得技术专长."
“但如果你能冒犯他们,让他们团结在他们的领导人周围,”他说,“伊朗可能在短时间内——几个月内——成为一个强大的网络强国。”
THIS IS WHAT AN IRANIAN CYBERATTACK ON THE US WOULD LOOK LIKE
Shortly after Iran lobbed two-dozen missiles into two U.S. military bases in Iraq last week, the country's foreign minister tweeted that Iran had "concluded" its "proportionate" response to the assassination of Major General Qassem Soleimani.
Few people in the U.S. military are taking this statement at face value. Iran is likely to step up its harassment of the U.S. using its network of proxy groups in the Middle East and elsewhere. If history is any guide, that response will include cyber attacks against the U.S. government, companies and high-profile individuals—and possibly even the 2020 elections.
"I don't think Iran is finished," says Jon Bateman, a former Iran expert at the U.S. Defense Intelligence Agency and now a fellow at the Carnegie Endowment for International Peace. The door is open, he says, to "follow-on actions that are more covert or more plausibly deniable. Cyber classically is one of the tools."
Although Iran isn't considered to be one of the world's most formidable cyber threats—its program lags behind Russia's and China's—the nation is still capable of causing a great deal of disruption. Its past cyber attacks have been characterized by unpredictability, and it's unclear how much its capabilities have improved in recent years.
How much disruption could Iran cause in the U.S. with a cyberattack?
It's been a decade since Iran weathered a sophisticated cyber-attack that set its nuclear weapons program back on its heels. The U.S. and Israel are widely thought to have launched an astonishingly intelligent bit of malware called Stuxnet, which was small enough to fit on a thumb drive but smart enough to wend its way like a heat-seeking missile through the internet to penetrate Tehran's heavily-fortified nuclear program. Not only did Stuxnet destroy uranium centrifuges, used to make bomb-grade uranium, it disguised itself by creating a false appearance of normalcy to the engineers who monitored the equipment—until it was too late. "Iran... has demonstrated a clear ability to learn from the capabilities and actions of others," said an NSA report released by Edward Snowden and reported in 2013 by The Intercept.
Heightened tensions in the aftermath of the Suleimani killing have U.S. cyber experts worried about Iran-backed cyber attacks in the months to come.
The big worries
The most worrying cyber threat from Iran are those that could result in a loss of life. In this respect, Iran is capable of using hackers to support some kind of conventional military action, such as a bombing or the assassination of an individual or a kidnapping. It could also use cyber espionage or data collection techniques to monitor the movement of troops, ships or planes in the Middle east and target them for attack.
To conduct a targeted assassination, Iran would need to bring together a variety of streams of intelligence. Infecting mobile phones with malware would give it access to a cornucopia of information—including potentially the real-time whereabouts of targets. A phone hack could provide what experts call "pattern of life" information—where an individual tends to go, and when—that could be used to predict a target's whereabouts. By gaining access to phone calls, emails, text message and contact lists, hackers could even manipulate a target to walk unwittingly into a trap. "Iran has conducted many targeted killings abroad through its proxies and, perhaps, directly," says Bateman. "In 2020 that would include a cyber element. Any state would use that."
Installing malware on a mobile devices is not as hard as you might think. The simplest method is through "social engineering"—tricking targets into divulging compromising information such as passwords or, as Russian operatives did with Clinton campaign chairman John Podesta in 2016, installing malware. In recent years, popular messaging apps WhatsApp and iMessage have had "no-click" vulnerabilities—software bugs allow hackers to implant malware simply by sending a message, without requiring any action on the part of the target. Although these particular no-click vulnerabilities have since been patched, there could be others. Iran is not known to have exploited these vulnerabilities in the past, but that doesn't mean they wouldn't in the future.
Disinformation campaigns
Another worry is that Iran could generate disinformation for the purposes of inspiring violence. In recent months, Iran-backed groups have used social media to share false data about the U.S. military—one widely-circulated claim was that U.S. Marines had arrested an Iraqi Parliamentarian, says Bateman. "Actions that kind of foment anger and distrust of U.S. forces and incite violence against them would be concerning," he says.
Although Iran doesn't have the kind of massive misinformation apparatus in place to sow division, the way Russia did in the run-up to 2016, it's conceivable that Iran could seek to influence the 2020 election, if it wanted to, by other means. Iran has good cyber-attack chops in breaking and entering computer systems. These skills could be useful for finding and leaking sensitive information—similar to Russia's hack of the Democratic National Committee in 2016. U.S. officials suspect that Iran was behind the 2015 attack on the Saudi Ministry of Foreign Affairs, which uncovered confidential diplomatic cables that were subsequently leaked, according to Bateman.
Iran was already caught once trying to hack the Trump campaign. In October, Microsoft reported that a hacker group called Phosphorous, which it believes is linked to the Iranian government, made more than 2700 attempts to identify email accounts and attacked 241 of them, including some associated with a U.S. political campaign. The Wall Street Journal later reported that the campaign under attack was Trump's. The hackers had succeeded in breaking into four accounts, none directly linked to the campaign, before Microsoft shut it down. "This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering," Microsoft said in its October statement.
Iranian President Hassan Rouhani. Tehran could attack the U.S. government or high-profile individuals.
Iran could also pose a plausible threat to voting machines. Although the U.S. election system is fragmented, Iran could try to compromise voting infrastructure in key districts, spreading fear, uncertainty and doubt. Undermining Americans' faith in the legitimacy of the election could be even more destabilizing than tampering with the actual vote results.
Experts say that such a tactic would be out of character for Iran, which in the past hasn't shown much interest in the U.S. political election system. From Iran's point of view, there isn't much difference between the policies of the two U.S. parties. "Iran sees a consistent four-decade-long pressure campaign that has bipartisan approval," says Bateman. "But the killing of Soleimani is more personal than previous U.S. actions because of the relationship he had with the Supreme Leader [Ayotallah Ali Khamenei], so I wouldn't rule out something that sought to embarrass or harm Donald Trump personally."
Soft corporate targets
Disrupting corporations is both in character for Iran and well within its current cyber capabilities. Although Iran wouldn't be able to make much headway with tech giants like Apple, Google, Facebook, Amazon and Microsoft, myriad other organizations are vulnerable to hacking, including many banks, chemical plants, oil refineries, pharmaceutical companies, water treatment plans and the electrical grid. It's likely that Iran has been installing malware in such organizations over the past decade, to lie dormant for many years until the right moment. "It's called 'preparing the battlefield'," says Steven Bellovin, a computer-science professor at Columbia University in New York who consults for defense organizations. "You wait, like sleeper cells, until you have three or four chemical plants and a couple of power plants, and then you act."
The malware would presumably activate on a signal from Iran and then proceed to carry out a coordinated cyber attack. This could take many forms. In a power plant, malware could cause turbines to spin so erratically that they eventually broke down--which is exactly how Stuxnet took out the uranium centrifuges--shutting down portions of the grid. In a pharmaceutical company, malware could change dosages in pills coming off a factory line, sowing panic.
It's unlikely that Iran has the capacity for waging a cyber war that results in significant loss of life, experts say. For instance, although it could use malware to damage power plants, it would not likely be able to cause damage on enough of a scale to create a prolonged outage of the U.S. electrical grid. "A real cyber war would destroy critical infrastructure, killing potentially millions of people," says Scott Borg, director of the U.S. Cyber Consequences Unit, a non-profit research group specializing in cyber security. "If we're totally talking about real cyber war, Iran has no capability."
The Stuxnet malware is also not likely to be replicated by Iran's engineers. That weapon required more than just expert programming: it required a massive amount of intelligence gathering to figure out how to launch the virus to the exact computer chips the Iranian nuclear engineers had built into their uranium centrifuges. Iran simply doesn't have the expertise or the resources to develop malware on such a scale, experts believe. "Cyber weapons, or malware, aren't as simple as just picking a gun off the street that someone has dropped and then loading it and firing it yourself," says Bateman. "A cyber operation is a complex sequence of events, in which you need to understand, and penetrate, a specific target and work your way up to a specific effect you'd like to achieve."
Learning curve
One factor working against Iran's cyber capabilities, says Borg, is distrust of the government. Although Iran possesses considerable talent in the realm of computing, most capable hackers in Iran and its diaspora don't see eye-to-eye with the Ayatollah, and therefore they withhold cooperation. "The Iran hacker groups are more moderate politically," he says. "It's hard to acquire technological expertise without becoming a little cosmopolitan and moderate."
"But if you could offend them enough to get them to rally around their leaders," he says, "Iran could become a formidable cyber power in a short time—a matter of months."
