"Report on Iran Hacking is Bombastic and Unrealistic"

On December 2, Cylance, a US-based security company, published a report stating that pro-Iran hackers have been penetrating computer networks in more than 16 countries around the world, including the US, Israel, Pakistan and several European countries for more than two years. IranWire spoke to Collin Anderson, an expert on internet censorship in Iran, to ascertain whether the information regarding "Operation Cleaver" was trustworthy. 

Is the Cylance report a reliable study? If not, what reason could Cylance have for putting out unreliable information regarding Iran?

It depends how you define 'reliable study,' there are a few sets of assertions here – facts, rhetoric and interpretations. The overarching thesis is that a set of Iranian actors attempted to compromise international companies and institutions through exploitation of software vulnerabilities and social engineering. That core assertion is most likely true and non-controversial. It should surprise no one that Iran has attempted to extend itself online in the same capacity as every other state, it has national security interests that are often legitimate and approximate to those activities conducted by the United States and its allies. Governments spy on each other.

Everything beyond begins to be less clear. 

It is important to differentiate the targeting of particular entities and the extraction of data with the actual harm caused. That is to say, they could certainly target the US military, and perhaps compromise certain employees. However, that does not imply that they were able to significantly compromise critical infrastructure. Moreover, this does not indicate the level of threat that they pose or the intent. Keep in mind that there is ample incentive for Cylance to assert that Iran and Iranian entities are a unique and highly-advanced threat, these reports tend to be public relations initiatives more than academic contributions. 

As a milestone of sophistication, keep in mind that these Iranian actors have not demonstrated the capacity to stage and execute the level of attacks against infrastructure that Chinese and Russian entities are repeatedly found to have committed against international targets. Within these attacks, there is not use of private or custom developed exploits, much less the development of new attacks. The software enumerated appears to be quiet simple.

Moreover, starting from the name of the report and the letter from the CEO, down to the summary with its last sentence – the rhetoric of the report is bombastic and plays into this unrealistic model of Iran as an international actor. I should expect that IranWire reports would find its portrayal of Iran reductionist and cheap. It implies that the documented attacks are a response to Stuxnet and insinuates that Iran has sought to do damage to critical infrastructure. This occurs without presenting any evidence to that effect. In that respect, Iran makes an excellent target for such reports, everything is fair game, no one will respond to such claims, much less sue or seek restitution.

Does Iran have the resources to hack governments and companies to the scale Cylance has reported?

Most entities do, at least to be able to compromise the low-hanging fruit – this requires neither sophistication or investment in resources. The majority of the tools and exploitation that the actors were described as having used to target or compromise their victims resemble openly-available technologies. The Syrian Electronic Army, which is described as being amateurish but aggressive, engages in somewhat similar activities and has plenty of luck compromising interesting targets. You and I can put up fake registration pages for companies to send out to everyone in a company in the hope that someone tries to log in; an introductory programmer can write malware – these do not require state resources, only time and perhaps a college-level education on computer programming. Iran has plenty of people with both, but neither make for the next Stuxnet and hacking an airport does not imply an interest in taking down airplanes.

Are authoritarian regimes increasingly using cyber attacks as a form of control?

Certainly, however, all regimes are using digital espionage as a means of extending state power online, authoritarian or otherwise. Iran has for several years targeted independent media and civil society organizations through electronic means, such as phishing, hacking and malware. Within Small Media's Iran internet Infrastructure and Policy Reports, we documented cases of these attacks in the lead up to last year's election, which were primarily attempts to socially engineer the credentials to email and social media accounts. However, these are also persistent, and continue to this day. They are neither costly nor require a great number of resources. Moreover, in the same manner, the websites of opposition and independent voices have been subject to attempts to exploit vulnerabilities and poor security policies. Here again, there are plenty of poorly maintained sites, Iran is bound to have success. The latter, hacking, tends to be an attempt to stifle voices and assert their power online, whereas the former is a collection of information.