THE GROWING CYBERTHREAT FROM IRAN THE INITIAL REPORT OF PROJECT PISTACHIO HARVEST FREDERICK W. KAGAN AND TOMMY STIANSEN 1150 Seventeenth Street, NW 1825 South Grant Street, Ste. 635 April 2015 Washington, DC 20036 San Mateo, CA 94402 202.862.5800 650.513.2881 www.aei.org www.norse-corp.com THE GROWING CYBERTHREAT FROM IRAN THE INITIAL REPORT OF PROJECT PISTACHIO HARVEST Frederick W. Kagan and Tommy Stiansen April 2015 AMERICAN ENTERPRISE INSTITUTE CRITICAL THREATS PROJECT AND NORSE CORPORATION TABLE OF CONTENTS Executive Summary ....................................................................................................................................... v Introduction ................................................................................................................................................. 1 Intelligence Collection and Analysis Methodology ...................................................................................... 4 Iran: The Perfect Cyberstorm? ...................................................................................................................... 8 What Are the Iranians Doing? .................................................................................................................... 14 Cyberattacks Directly from Iran ................................................................................................................. 24 Conclusions ................................................................................................................................................ 42 Notes .......................................................................................................................................................... 44 Acknowledgments ...................................................................................................................................... 51 About Us .................................................................................................................................................... 52 Figures Figure 1. Iranian Cyberinteractions with the Norse Intelligence Network, January 2014–March 2015 ...... 2 Figure 2. Norse Live Attack Map Demonstrates Attacks Detected against 8 Million Sensors ...................... 5 Figure 3. Norse Intelligence Network ........................................................................................................... 6 Figure 4. Ashiyane Announcement of Defacing a NASA Site .................................................................... 15 Figure 5. Publicly Identified Members of the Ashiyane Hacking Group .................................................... 16 Figure 6. Ashiyane Home Page ................................................................................................................... 17 Figure 7. Ashiyane IT Infrastructure Proxied through the US .................................................................... 17 Figure 8. Cyberattacks from XLHost Systems against Norse Sensors, 2013–15 ........................................ 18 Figure 9. Cyberattacks and IT Systems of Imam Hossein University ........................................................ 25 Figure 10. Cyberattacks and IT Systems of Bank Sepah ............................................................................. 26 Figure 11. Cyberattacks and IT Structure of IRGC Provincial Units and Basij Systems ............................ 29 Figure 12. Visualization of Sharif University Attacks on Norse Systems .................................................... 32 Figure 13. IP Ranges from Sharif University Attacks.................................................................................. 33 Figure 14. IP Ranges from Sharif University Attacks, Colored by Source Port and Date ........................... 34 Figure 15. Sharif IP Addresses with Public-Facing Systems (Green) and Malware Attacks (Red) .............. 35 Figure 16. Attacks from Iranian Systems against Norse Sensors, January–July 2014.................................. 38 iii EXECUTIVE SUMMARY ran is emerging as a significant cyberthreat to the security services. We cannot think of the Iranian cyber- IUS and its allies. The size and sophistication of footprint as confined to Iranian soil. the nation’s hacking capabilities have grown mark- That fact creates great dangers for the West, but edly over the last few years, and Iran has already pen- also offers opportunities. Iranian companies, including etrated well-defended networks in the US and Saudi some under international sanctions and some affiliated Arabia and seized and destroyed sensitive data. The with the Islamic Revolutionary Guard Corps (IRGC) lifting of economic sanctions as a result of the recently and global terrorist organizations like Hezbollah, are announced framework for a nuclear deal with Iran will hosting websites, mail servers, and other IT systems dramatically increase the resources Iran can put toward in the United States, Canada, Germany, the United expanding its cyberattack infrastructure. Kingdom, and elsewhere. Simply by registering and We must anticipate that the Iranian cyberthreat may paying a fee, Iranian security services and ordinary cit- well begin to grow much more rapidly. Yet we must izens can gain access to advanced computer systems also avoid overreacting to this threat, which is not yet and software that the West has been trying to prevent unmanageable. The first requirement of developing them from getting at all. The bad news is that they a sound response is understanding the nature of the are getting them anyway, and in one of the most effi- problem, which is the aim of this report. cient ways possible—by renting what they need from Pistachio Harvest is a collaborative project between us without having to go to the trouble of building or Norse Corporation and the Critical Threats Project stealing it themselves. at the American Enterprise Institute to describe Iran’s The good news is that Western companies own these footprint in cyberspace and identify important trends systems. They could, if they choose, deny Iranian enti- in Iranian cyberattacks. It draws on data from the ties sanctioned for terrorism or human rights violations Norse Intelligence Network, which consists of several access to their systems. Western governments could— million advanced sensors distributed around the globe. and should—develop and publish lists of such entities A sensor is basically a computer emulation designed and the cyberinfrastructure they maintain to facilitate to look like an actual website, email login portal, or that effort, broken down by industry. The entities host- some other kind of Internet-based system for a bank, ing these systems could deal Iran a significant blow in university, power plant, electrical switching station, or this way, while helping to protect themselves and their other public or private computer systems that might other customers from the attacks coming from Iranian- interest a hacker. Sensors are designed to appear poorly rented machines. secured, including known and zero-day vulnerabili- But the Islamic Republic is also using networks ties to lure hackers into trying to break into them. The within Iran to prepare and conduct sophisticated odds of accidentally connecting to a Norse sensor are cyberattacks. Our investigations have uncovered efforts low. They do not belong to real companies or show up launched by the IRGC from its own computer systems on search engines. Data from Norse systems combined to take control of American machines using sophisti- with open-source information collected by the analysts cated techniques. IRGC systems hit ports with known of the Critical Threats Project have allowed us to see and dangerous compromises from many different sys- and outline for the first time the real nature and extent tems over months. They also scanned hundreds of US of the Iranian cyberthreat. systems from a single Iranian server in a few seconds. A particular challenge is that the Islamic Republic These attacks would have been lost in normal traffic has two sets of information technology infrastructure— if they had not all hit Norse sensor infrastructure and the one it is building in Iran and the one it is renting thereby revealed their patterns. and buying in the West. Both are attacking the com- Sharif University of Technology, one of Iran’s pre- puter systems of America and its allies, and both are mier schools, conducted similar automated searches influenced to different degrees by the regime and its for vulnerable US infrastructure using a different v THE GROWING CYBERTHREAT FROM IRAN | FREDERICK W. KAGAN AND TOMMY STIANSEN algorithm to obfuscate its activities. A Sharif IP address vulnerable systems in the US, damage to which could would try to connect with target systems on port 445 cause severe harm to the US economy and citizens. twice within a few seconds. Then a different Sharif IP The good news in all of this is that we know that address would try to connect with a different target on the attacks Norse detected all failed—the sensors they the same port twice within a few seconds. All of the hit were not real systems controlling anything. The IP addresses were clearly owned and operated by Sharif bad news is that we can be certain that these were not University, but none of them hosted any public-facing the only attacks and equally certain that some of the systems. The pattern of attacks, once again, was visible others succeeded. only because so many of them hit Norse infrastructure.