Pierluigi Paganini April 24, 2012

A new cyber attack against Iran, in particular this time the Oil Industry was the target of a Malware Attack. The news was widespread by Officials in the Iranian oil ministry, they say that their network and the country’s main oil export terminal were infected with a malware; due this event the government has taken temporarily systems offline. An instance of the virus used for the attacks was found in the control systems of Kharg Island, the place provides a sea port for the export of oil and extends Iranian territorial sea claims into the Persian Gulf. The operations inside the terminal continued, no recording interruption due to the attack. According Iranian officials only one server was compromised, it was used to provide public information.

We all remember that the nation in 2010 was victims of another cyber attack, when the Stuxnet worm infected control systems inside nuclear plant in Iran. worldwide experts recognized in Stuxnet agents a powerful cyber weapon used to stop the nuclear program of the Iranian government. Immediately, experts have thought of that episode was related to the discovery made in recent months of a platform for the creation of similar cyber weapons, the “Tilded Platform“, assuming that the new virus was created by the same team.  The first news reported in security sector say that the malware used in the attack is not related to Stuxnet, so meanwhile the Stuxnet was developed by foreign governments to attack the Iran, at the moment it’s impossible to make hypothesis on the source of the malware. According the declaration of an Iranian oil ministry spokesperson the virus attacks has infected public servers that were immediately isolated, no particular damage were reported.

The Mehr News Agency revealed the National Iranian Oil Company and other businesses were under attack on Sunday 22th April, no information has been exposed and the attacks were successfully mitigated. It’s clear that behind the attacks there is a defined strategy to mine the main sector of the country, and Oil sector is the most important. The Government of Teharan is involved in a cyber war with the United States and Israel, periodically it reports cyberattacks to its nuclear and industrial sectors, always declaring that minor damage were caused. Earlier this year, head of Iran’s civil defense agency Gholam Reza Jalali said the energy sector of the country has been a main target of cyberattacks over last years.

As usual in similar case are circulating news not confirmed by the official sources. Many expert are convinced it is early to hazard hypothesis of connection with Stuxnet and Duqu. The first news related to the incident indicates that only the website of the oil ministry that was hit during the attacks and that not control systems was infected. If confirmed of course we can resize the impact of incident reformulating new hypotheses on its origin.

John Bumgarner, a security specialist with the think tank U.S. Cyber Consequences Unit, declared to the Reuters Press that the purpose of similar malware is to attack the production processes erasing data and shutting down operations.

“The reason you would put a virus inside this network to erase data is because that causes those facilities to have to shut down”

and to rebuild servers, he told Reuters.

“So during that time the production and refinery operations for Iran could be impacted. And depending on how the virus was written, it could be longer term.”

In the last months the Iran has been banned from the purchase of antivirus systems, a technological embargo with clear implications for the Stuxnet virus attacks and the need for the country to prevent further infections to industrial control systems for critical infrastructures. It was announced an international sanctions to stop the Government of Teheran from obtaining commercial anti-virus software, according to a senior Iranian intelligence official. The reply of Teharan was immediate, the announcement was been made public by FARS news agency, and Iranian Deputy National Security Minister for technical issues Ahangaran said the country is being forced to design its own anti-virus software due to the sanctions. Ahangaran said that Iran is unable update antivirus programs and combat Internet viruses because of the imposed ban.

To respond to the cyber attacks and with the intent to be more active in the cyber warfare Iran has recently announced a series of cyber defense measures spearheaded by the Revolutionary Guards, the unit which already runs every key military program in Iran and many industries.  All the strategic servers of the government moved inside the country and for them special protection measures have taken, the Revolutionary Guard in March also set up an hack-proof communications network for its high-level officials.  These are just last measures in order of times, we must consider that an emerging expertize in cyber warfare. Under Cyber warfare perspective we must consider Iranian expertise. During the protests after the disputed election in 2009 Iran has demonstrated to have the complete control of its cyberspace thanks the collaboration of western companies and to strategic alliance with technologic countries like China. The country is investing in cyber training program and in recruiting of young nationalist building a parallel covert cyber army already engaged to suppress domestic protest that could be easily employed like a cyber weapon against external enemies.

The Iranian Revolutionary Guards Corps, IRGC, seems to have built one of the largest forces of hackers on the planet. “Emperor”, “Iran Hackers Sabotage” these are the names of the main group of hackers that during the last year have conducted several operation like destroy a government database or hack into two candidates’ websites. during the 2005 presidential election. If in terms of cyber offense Iran has a considerable force not so it can be said of cyber defense strategy.

Obviously not all hacking groups in Iran are under government control, emblematic is the case of a group that managed to carry out a fraud to the detriment of some banks in the country for several million dollars.

In May 2010, Ebrahim Jabbari, a provincial Revolutionary Guards commander, declared that the IRGC had the world’s second-largest cyber army at its disposal, the US intelligence is convinced of the potential of groups to the point of recognizing them as among the major cyber threats to the country.

In addition to cyber warriors and mercenaries, the Iran regime also has the control of the private IT firm Ashiyane Security Group, which has coordinated several cyber-attacks from Iran. Its illustrious victims are Mossad, Mossad, defence minister Ehud BarakNASA and several websites in the Arab world. It is clear in my opinion that the cyber strategy aimed against Iran by Western governments are continuing to undermine the nuclear weapons ambitions of Teheran.

The embargo, in addition to reinforcing the belief that the dangerous virus was indeed developed by Israeli agents and / or the U.S., suggests that these countries are focusing their efforts in prelude to a conventional military offensive against Iran.

Are we also close to a military attacks against Iran?

Certainly events like this might make us think that the event is close, but I believe that its strategy against the Iranian government does not provide urgently the option of a military attack. The situation is very complex and there are interests too high that involve nations like Russia and China.

A possible U.S. or Israeli military attack could trigger a dangerous political situation with unpredictable consequences.

Pierluigi Paganini