Tensions between the U.S. and Iran have soared in the last weeks. Washington and Tehran came close to a direct military conflict last month when the U.S. accused Tehran of orchestrating two attacks on oil tankers in the Persian Gulf region, which Iran denied. Then, after an Iranian missile shot down a U.S. drone, the U.S. ordered reactive airstrikes that were called off at the last minute. Instead, it was widely reported that the U.S. Cyber Command in the Pentagon launched cyber-attacks against the Iranian group that have been planning and orchestrating the tanker attacks in the region.
This comes just a year after President Donald Trump announced his decision to withdraw from Iran’s 2015 nuclear accord with world powers and to restore economic sanctions. Adding to this, the channel between the borders of Iran and Oman accounts for approximately 30% of the world’s seaborne oil traffic. The current situation is certainly worrying.
Cyber war is not new: It has existed for some time
Targeting tankers in the Gulf, American warships stepping in to support distressed commercial vessels, atmosphere of fear: we've seen this already, almost 30 years ago, when the U.S. and Iran came to fight in the same Straits of Hormuz. It was the “tanker war” when Iran and Saddam Hussein’s Iraq targeted each other’s oil tankers, posing a threat to international trade.
Could it happen again? It certainly could, but now the scenario is different. There is a “cyber factor” to consider and cyber warfare is part of the response on both sides. The speed at which a cyber-attack can have an effect, with little warning, no amassing of warships or troops, and with no physical presence required anywhere near the targets, removes the need to be on the battlefield and the opportunities for targeting are vast. Counter attacks should be expected - if not already occurring.
Both the U.S. and Iran can use missiles, submarines and frigates to attack and damage commercial and military shipping. But it's not just a battle at sea: Iran's ability to shoot down drones points to conflict in different domains, including the air and most recently in cyberspace. Both the U.S. and Iran have the ability and desire to engage in further sophisticated state-sponsored cyber-attacks, targeting the global shipping sector. There are multiple reports of GPS jamming activities as well as more sophisticated attacks against navigation and communication systems. These attacks can cause major havoc, with attribution being notoriously challenging to pinpoint.
The use of cyber offensive attacks on the international stage is here to stay and must now form part of the threat landscape we all need to be facing.
Cyber-attacks are much more covert in nature compared to kinetic attacks against shipping lanes or vessels. However in a sector that is becoming increasingly automated and connected, so the threat is heightening.
Let us look back at the recent events in the Gulf:
8 May 2019: Iran vows to enrich its uranium stockpile closer to weapons-grade levels if world powers fail to negotiate new terms for its nuclear deal.
12 May 2019: Four oil tankers – two Saudi-flagged, one Norwegian-flagged and one Emirati-flagged – are damaged by explosions in the Gulf of Oman. According to the UAE, the ships were sabotaged. The U.S. accuses Iran's Revolutionary Guards of responsibility. Iran, however, denies any involvement.
14 May 2019: Yemen's Houthi rebels launch a drone attack on Saudi Arabia, striking a major oil pipeline and taking it out of service. Again, Iran is accused of the drone attack.
13 June 2019: Two oil tankers (one Japanese and one Norwegian) are attacked near the Strait of Hormuz. The attacks took place on the same day that Ali Khamenei (Supreme Leader of Iran) met with Japanese Prime Minister Shinzō Abe (who was acting as a facilitator between Washington and Tehran).
20 June 2019: Iranian forces take down a U.S. drone over the Strait of Hormuz, allegedly.
22 June 2019: President Donald Trump initially opts for traditional military strikes on Iran in retaliation for the loss of the drone, but instead appears to approve a cyber strike, as widely reported. The strike targets the computer systems used by the Iranian Army to control missile launchers and allegedly also the computers used to plan the tanker attacks.
5 July 2019: U.K. Royal Marine commandos seize an Iranian-flagged vessel off the Strait of Gibraltar, suspected of breaching European Union sanctions by carrying a shipment of Iranian crude oil to Syria.
8 July 2019: The International Atomic Energy Agency (in charge of verifying compliance with the terms of the nuclear deal) confirms that Tehran has breached the agreed 3.67% limit for enriched uranium.
18 July 2019: Iran says it has seized a foreign oil tanker in the Gulf. A report on state TV says the ship was smuggling oil. However, it does not say which country the crew are from (illegal smuggling has been going on for decades in the Persian Gulf as Iran has the world’s cheapest fuel and that waterway is a vital route). On the same day, President Donald Trump claims that a U.S. Navy ship has destroyed an Iranian drone in a defensive action. Iran denies that any of its drones have been shot down; instead, they suggest the U.S. may have shot down their equipment with friendly fire.
20 July 2019: Iran seizes a British-flagged oil tanker in the Strait of Hormuz. A second tanker was stopped and then allowed to resume navigation.
The age of cyberwar is here
Stuxnet worm, a cyberweapon, was used to target Iranian nuclear facilities in Natanz in 2010. The aim was to disrupt Iran’s nuclear program and force them to agree to a non-proliferation agreement. This was one of the most prominent examples of a malicious computer program that caused physical damage and one of the first known uses of offensive cyber operations as a coercive measure between states.
On the other hand, evidence of the development of the Iranian regime’s cyber offensive capability is the Shamoon attack in 2012 and its reappearance in 2016. The Shamoon wiper malware compromised thousands of workstations across Saudi Aramco, Saudi ministries, and other organizations, causing hundreds of millions of dollars in damage. An Iranian group called ‘Cutting Sword of Justice’ claimed responsibility for the attack, which overwrote the hard drives of Aramco computers with the image of a burning American flag. In December of 2018, the Italian oil services company Saipem had servers in the Middle East, Scotland and Italy compromised by a variant of Shamoon. Notably, Saipem’s biggest client is Saudi Aramco.
There have been several well-known instances where untargeted businesses have been victims of the cyberwar between states, suffering substantial financial consequences. The total cost of WannaCry, which affected users in 150 countries, is estimated to be over $1 billion. The NotPetya attack cost shipping company Maersk over $300 million in lost revenue.
State-sponsored groups are of growing concern, as the objective of their attacks can be anything, from theft of intellectual property and military intelligence to sabotage or disruption of critical infrastructure. No industry is immune to these attacks as the collateral damage can be high profile and, in such cases, the liability is hard to determine.
It is near impossible to attribute blame when it comes to state-sponsored cyber-attacks since the actors protect their anonymity, often operating under fake identities and almost never acknowledging the ownership of their actions – they are typically only discovered when they make mistakes.
What measures do businesses need to take in an event of cyberwarfare?
Undoubtedly, we need to deploy sophisticated detection capabilities and robust defenses to face the above threat.
Nettitude recommend the following actions:
- SHARE THE KNOWLEDGE: Adopt threat intelligence sharing mechanisms and engage in relationships with law enforcement, cyber security agencies and providers, to enrich your understanding of the latest threats and associated TTPs.
- EXTEND THE SCOPE: Do not cover just the technology, but also look at your people and processes. Ensure that senior executives own the cyber security challenge.
- DEFINE THE STRATEGY: Plan and define your cyber strategy around the business-critical assets, with the whole supply chain in mind.
- TEST YOUR ENVIRONMENT. Perform red teaming exercises, penetration testing and vulnerability scanning to evaluate the security of your organization, demonstrating the impact of ‘exploiting’ existing vulnerabilities.
- DEPLOY EFFECTIVE DETECTION CAPABILITY: Unless you constantly monitor your network and process your security logs, you will not be able to spot sophisticated attacks.
To learn more about all of these topics, get in touch with us at firstname.lastname@example.org.