I was on the front lines when Iran attacked American banks via the Internet. One by one, online banking services were knocked offline: Bank of America, JP Morgan, Citibank, Wells Fargo, CapitalOne, the New York Stock Exchange, and more.
The 2012-2013 attacks, known as Operation Ababil, originated from a group known as the Qassam Cyber Fighters (QCF). QCF is led by Quds Force, whose General Qassem Soleimani was killed last week by US drone strike.
Operation Ababil had three phases, beginning as a simple Distributed Denial-of-Service attack (DDoS) that relied on sheer volume of network traffic to overwhelm web servers. This is a volumetric DDoS attack even bored teenagers can carry out using script-kiddy tools like Low Orbit Ion Cannon. Banks were able to parry these attacks by expanding capacity and offloading network traffic to third parties. But as Operation Ababil continued, the attacks grew more sophisticated, using devious application layer tricks to crash banks’ web services.
I saw the Iranian hackers probe their targets, launch simple attacks, learn, improve, then attack again with deadlier effect. Operation Ababil ended, but their cyberattacks have continued to the present day, growing ever more sophisticated. Iran erased Saudi Aramco computers in 2012. They hacked US Navy computers and a New York dam in 2013. They hacked billionaire Sheldon Adelson’s Las Vegas casino in 2014. They crippled City of Atlanta computers in 2018. They downed a US military drone in 2019.
Now Iran has vowed revenge for the US killing of General Soleimani. So far the only cyber incident has been defacing of a minor US government web site. But many experts predict we can expect Iranian cyberattacks exceeding anything attempted before. One expert warned “attacks could be devastating.”
DHS issued a terror alert on Iran last weekend, warning that “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” The US Cybersecurity and Infrastructure Security Agency (CISA) followed up with an Iran threat analysis titled Increased Geopolitical Tensions and Threats.
Iran has incrementally improved its offensive cyber skills and capabilities over the years since Operation Ababil. Iran may have reached a point where they can inflict considerable damage on US critical infrastructure. Having threatened maximum vengeance for Soleimani’s death, they feel pressure to do something public and spectacular.
There’s no reason to panic, but IT security staff in our banks, airlines, hospitals, electric utilities, telcos, and government agencies should be on heightened alert. And, oh yeah, there’s also a little thing coming up this year called the 2020 elections.
Michael McCormick is an information security consultant, researcher, and founder of Taproot Security.