Iranian-backed hackers have escalated a campaign of cyberassaults
against U.S. corporations by launching infiltration and surveillance
missions against the computer networks running energy companies,
according to current and former U.S. officials.
In the latest operations, the Iranian hackers were able to
gain access to control-system software that could allow them to
manipulate oil or gas pipelines. They proceeded "far enough to worry
people," one former official said.
The developments show that while Chinese hackers pose
widespread intellectual-property-theft and espionage concerns, the
Iranian assaults have emerged as far more worrisome because of their
apparent hostile intent and potential for damage or sabotage.
U.S. officials consider this set of Iranian infiltrations to
be more alarming than another continuing campaign, also believed to be
backed by Tehran, that disrupts bank websites by "denial of service"
strikes. Unlike those, the more recent campaigns actually have broken
into computer systems to gain information on the controls running
company operations and, through reconnaissance, acquired the means to
disrupt or destroy them in the future, the U.S. officials said.
In response, U.S. officials warn that Iran is edging closer to provoking U.S. retaliation.
"This is representative of stepped-up cyber activity by the
Iranian regime. The more they do this, the more our concerns grow," a
U.S. official said. "What they have done so far has certainly been
noticed, and they should be cautious."
The U.S. has previously launched its own cyberattacks against Iran. The
Stuxnet worm, developed and launched by the U.S. and Israel, sabotaged
an Iranian nuclear facility.
The latest campaign, which the U.S. believes has direct
backing from the Iranian government, has focused on the control systems
that run oil and gas companies and, more recently, power companies,
current and former officials said. Control systems run the operations of
critical infrastructure, regulating the flow of oil and gas or
electricity, turning systems on and off, and controlling key functions.
In theory, manipulating the software could be used to delete
important data or turn off key safety features such as the automatic
lubrication of a generator, experts said.
Current and former U.S. officials wouldn't name the energy
companies involved in the attacks or say how many there were. But among
the targets were oil and gas companies along the Canadian border, where
many firms have operations, two former officials said.
The officials also wouldn't detail the precise nature of the
evidence of Iranian involvement. But the U.S. has "technical evidence"
directly linking the hacking of energy companies to Iran, one former U.S. official said.
Iranian officials deny any involvement in hacking. "Although Iran has
been repeatedly the target of state-sponsored cyberattacks, attempting
to target Iran's civilian nuclear facilities, power grids, oil terminals
and other industrial sectors, Iran has not ever retaliated against
those illegal cyberattacks," said Iran's
spokesman at the United Nations, Alireza Miryousefi. "In the lack of
international legal instruments to address cyberwarfare, Iran
has been at the forefront of calling for creating such instruments. We
categorically reject these baseless allegations used only to divert
attentions."
So far, the infiltrations don't appear to have involved theft
of data or disruption of operations. But officials worry the
reconnaissance undertaken to datewill provide hackers the information
they need to do damage in the future. Computer infiltration experts
often identify so-called backdoors in computer systems that permit
repeated entries.
While there is no evidence that systems have been tampered
with, some U.S. officials have likened the types of infiltrations seen
in the U.S. to those at oil company Saudi Aramco that eventually enabled
attacks that destroyed 30,000 computers in August 2012.
It isn't clear whether the hackers are the same individuals
responsible for Saudi Aramco or those involved in the relentless set of
attacks that have bombarded bank websites, temporarily knocking them
offline.
The U.S. Department of Homeland Security earlier this month
warned of an escalation in threats against computerized control systems,
but it didn't cite Iran as the origin of the threat.
In recent months, however, U.S. officials have grown
increasingly alarmed by the growth of what defense officials describe as
a continuing series of cyberattacks backed by the Iranian government,
including its elite Quds Force. The threat has grown quickly; as
recently as 18 months ago, top intelligence officials were largely
dismissive of Iranian hacking capabilities.
Underscoring the Obama administration's growing concern, the
White House held a high-level meeting late last month on how to handle
the Iranian cybersecurity threat. No decisions were made at that meeting
to take action, however, and officials will reconvene in coming weeks
to reassess, a U.S. official said.
"It's reached a really critical level," said James Lewis, a
cybersecurity specialist at the Center for Strategic and International
Studies, who frequently advises the White House and Capitol Hill. "We
don't have much we can do in response, short of kinetic warfare."
The Obama administration sees the energy-company infiltrations as a
signal that Iran hasn't responded to deterrence, a former official said.
In October, then-Defense Secretary Leon Panetta issued a veiled threat to Iran,
which he did not name in his speech, by warning the Saudi Aramco hack
represented a dangerous escalation in cyberwarfare. Since then, the
Iranian attacks have only ramped up.
Unlike Chinese hacking, the Iranian infiltrations and
cyberattacks appear intended to disrupt and possibly damage computer
systems. "The differentiator is the intent. Stealing versus disrupting
raises different concerns," the U.S. official said. "That's why they're
getting a fair amount of attention."
The recent growth of Chinese infiltrations primarily has been aimed at stealing military and trade secrets, not doing damage.
"The Chinese believe in stability, and they operate on a
50-year plan," said Tom Kellerman, vice president of Trend Micro, a
cybersecurity research firm. "Iran
has been successfully ostracized from global economics. It is in their
best interest to pursue destructive cyberattacks to not only empower
themselves but to signal to the Western world they are capable in
cyberspace."
Cybersecurity specialists say the electric-power industry
remains under-prepared to fend off attacks, particularly ones backed by a
foreign government.
"If you were worried about cyberattacks against electric
utilities five years ago, you're still worried today," said Jacob
Olcott, a former cybersecurity aide on Capitol Hill now at GoodHarbor
Consulting. "Some within the electric sector have become more savvy
about security in recent years. Many are not."
Lawmakers on Capitol Hill are stepping up pressure to bolster
cybersecurity in the electric-power sector. Reps. Edward Markey (D.,
Mass.) and Henry Waxman (D., Calif.) issued a report this week citing
security gaps in the computer networks running the electric grid.
Based on a survey of 150 power companies, the report found
that "more than a dozen utilities reported 'daily,' 'constant' or
'frequent' attempted cyberattacks," and one said it was the target of
about 10,000 attempted cyberattacks each month. The report found that
many electric utilities were adopting only mandatory cybersecurity
standards and not implementing voluntary added precautions.