Four months after a historic accord with Tehran to limit its atomic ambitions, U.S. officials and private security groups say they see a surge in sophisticated computer espionage by Iran, culminating in a series of cyberattacks against State Department officials over the past month.
The surge has led U.S. officials to a stark conclusion: For Iran, cyberespionage — and the power it gives the Iranians to jab at the United States and its neighbors without provoking a military response — is becoming a tool to obtain the influence that many in Iran hoped the nuclear program would give the country.
Over the past month, Iranian hackers identified individual State Department officials who focus on Iran and the Middle East and broke into their email and social media accounts, according to diplomatic and law enforcement officials familiar with the investigation. The State Department became aware of the compromises only after Facebook told the victims that state-sponsored hackers had compromised their accounts.
“It was very carefully designed and showed the degree to which they understood which of our staff was working on Iran issues now that the nuclear deal is done,” said one senior U.S. official who oversees much of that operation and who requested anonymity to discuss a continuing investigation. “It was subtle.”
Iran’s cyberskills are not yet equal to those of Russia or China. But the attack against the State Department by using the social media accounts of young government employees to gain access to their friends across the administration — a focus that had not been seen before — showed an ingenuity beyond the Russian brute-force attack that infiltrated the State Department’s unclassified email system a year ago.
In the aftermath of the nuclear accord, U.S. intelligence officials have warned senior officials that they expected Iran to ramp up its use of cyberespionage.
The director of national intelligence, James R. Clapper Jr., has told Congress in closed sessions that he believes state-sponsored Iranian hackers are not attempting big attacks that could threaten their ability to reap the financial rewards of complying with the nuclear accord, according to two officials familiar with those briefings. But he said they are stepping up traditional cyberespionage and getting better at it.
“The Iranians have not been as destructive as they could be, but they are getting far more aggressive in cyberespionage, which they know is less likely to prompt a response from the United States,” said James Lewis, who runs the cyberprogram at the Center for Strategic and International Studies in Washington. “They seem very attuned to every stage of implementing the nuclear agreement.”
Congress is responding. In the defense bill lawmakers passed this month, U.S. Cyber Command, which runs the military’s offensive and defensive Internet activities, is instructed to conduct computer war games next year. The games are intended to replicate the threats from China, Iran, North Korea and Russia.
Iranian cyberattacks are hardly new: They arose after the U.S. cyberattacks on Iran’s nuclear facility at Natanz, a covert operation that destroyed upward of 1,000 Iranian centrifuges and drove home to the Iranian leadership the destructive power of computer weapons. The U.S. attacks began toward the end of the Bush administration.
Since then, U.S. government officials and private security researchers say Iranian hackers have been behind a series of powerful attacks against U.S. banks that took their websites offline, as well as a destructive attack at Saudi Aramco, the world’s largest oil producer, that replaced data on employee machines with an image of a burning American flag.
Starting last year, private security researchers say, Iranian hackers began using cyberattacks for espionage, rather than for destruction and disruption.
Beginning in May 2014, researchers found evidence that Iranian hackers were targeting Iranian dissidents, and later policymakers, senior military personnel and defense contractors in the United States, England and Israel, according to a report by iSight Partners, a computer intelligence firm in Dallas.
By December, the list of victims had expanded to include intelligence targets in other countries including Saudi Arabia, the Netherlands and Georgia.
For the most part, researchers said, the attacks were basic “spear phishing” attempts, in which attackers tried to lure their victims into clicking on a malicious link, in this case by impersonating members of the news media. Iranian hackers were successful in more than a quarter of their attempts.
The number of spear phishing attacks reached a climax in May — just ahead of the nuclear talks in Vienna in July — reaching more than 1,500 attempts, according to researchers at Check Point, the Israeli cybersecurity company.
Some researchers witnessed an even more troubling trend: In the months leading up to the talks, Iran’s hackers began probing critical infrastructure networks in what appeared to be reconnaissance for cyberattacks meant to cause physical damage, said John Hultquist, the director of cyberespionage analysis at iSight Partners.
And then something curious happened: In June and July, as U.S. and Iranian negotiators gathered in Vienna to cut a deal on Iran’s nuclear program, attacks against U.S. targets stopped. Not a single phishing attempt was logged by Check Point. And the critical infrastructure probes went silent as well, according to iSight Partners, and have not resumed to this day.
Instead, iSight’s researchers saw Iran’s hackers switch focus. Between June and July, the attackers largely ceased their assault on U.S. targets and began targeting victims in Israel as well as members of the Islamic State in July as Islamic State militants began expanding their territory across Iraq.
And then, in August, just two weeks after the nuclear accord was reached, the trickle of cyberattacks against the group’s usual targets resumed. Check Point’s researchers were able to hack the attackers’ target list, which included 1,600 individuals, from scholars, scientists, chief executives and ministry officials to education institutes, journalists and human rights activists across the globe.
The victims may have never learned of the compromises were it not for a decision by Facebook last month to use a new alert system to notify users when Facebook’s security team believed state-sponsored hackers had hijacked their accounts. Just weeks into the new alert system, State Department officials began to see a troubling message pop up on their Facebook accounts:
“We believe your Facebook account and your other online accounts may be the target of attacks by state-sponsored actors,” the message read.
Some details of the espionage on State Department employees were first reported by The Wall Street Journal.
State Department officials say none of this will affect the coming turning points in the nuclear deal.