U.S. Suspects Iranians Were Behind a Wave of Cyberattacks


By  and 
Published: October 13, 2012 48 Comments

WASHINGTON — American intelligence officials are increasingly convinced that Iran was the origin of a serious wave of network attacks that crippled computers across the Saudi oil industry and breached financial institutions in the United States, episodes that contributed to a warning last week from Defense Secretary Leon E. Panetta that the United States was at risk of a “cyber-Pearl Harbor.”

Jacquelyn Martin/Associated Press

Defense Secretary Leon E. Panetta warned Thursday of the risk of a “cyber-Pearl Harbor.”

World Twitter Logo.

After Mr. Panetta’s remarks on Thursday night, American officials described an emerging shadow war of attacks and counterattacks already under way between the United States and Iran in cyberspace.

Among American officials, suspicion has focused on the “cybercorps” that Iran’s military created in 2011 — partly in response to American and Israeli cyberattacks on the Iranian nuclear enrichment plant at Natanz — though there is no hard evidence that the attacks were sanctioned by the Iranian government.

The attacks emanating from Iran have inflicted only modest damage. Iran’s cyber warfare capabilities are considerably weaker than those in China and Russia, which intelligence officials believe are the sources of a significant number of probes, thefts of intellectual property and attacks on American companies and government agencies.

The attack under closest scrutiny hit Saudi Aramco, the world’s largest oil company, in August. Saudi Arabia is Iran’s main rival in the region and is among the Arab states that have argued privately for the toughest actions against Iran. Aramco, the Saudi state oil company, has been bolstering supplies to customers who can no longer obtain oil from Iran because of Western sanctions.

The virus that hit Aramco is called Shamoon and spread through computers linked over a network to erase files on about 30,000 computers by overwriting them. Mr. Panetta, while not directly attributing the strike to Iran in his speech, called it “probably the most destructive attack that the private sector has seen to date.”

Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls “denial of service” attacks, relatively crude efforts to send a nearly endless stream of computer-generated requests aimed at overwhelming networks. But as one consultant to the United States government on the attacks put it several days ago: “What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it.”

The revelation that Iran may have been the source of the computer attacks was first reported by The Associated Press on Friday.

The attacks on American financial institutions, which prevented some bank customers from gaining access to their accounts online but did not involve any theft of money, seemed to come from various spots around the world, and so their origins are not certain. There is some question about whether those attacks may have involved outside programming help, perhaps from Russia.

Mr. Panetta spoke only in broad terms, stating that Iran had “undertaken a concerted effort to use cyberspace to its advantage.” Almost immediately, experts in cybersecurity rushed to fill in the blanks.

“His speech laid the dots alongside each other without connecting them,” James A. Lewis, a senior fellow at the Center for Strategic and International Studies, wrote Friday in an essay for ForeignPolicy.com. “Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it.”

Iran has a motive, to retaliate for both the American-led financial sanctions that have cut its oil exports nearly in half, and for the cybercampaign by the United States and Israel against Iran’s nuclear enrichment complex at Natanz.

That campaign started in the Bush administration, when the United States and Israel first began experimenting with an entirely new generation of weapon: a cyberworm that could infiltrate another state’s computers and then cause havoc on computer-controlled machinery. In this case, it resulted in the destruction of roughly a fifth of the nuclear centrifuges that Iran uses to enrich uranium, though the centrifuges were eventually replaced, and Iran’s production capability has recovered.

Iran became aware of the attacks in the summer of 2010, when the computer worm escaped from the Natanz plant and was replicated across the globe. The computer industry soon named the escaped weapon Stuxnet.

Iran announced last year that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran’s Passive Defense Organization, said the Iranian military was prepared “to fight our enemies” in “cyberspace and Internet warfare.” Little is known about how that group is organized, or where it has bought or developed its expertise.