Last week, a number of organizations reported that Iranian oil infrastructure had gone offline in response to malware of some sort. The Iranian Oil Ministry claims the attack only affected user data, not actual production equipment, and others have indicated that the malware did not target industrial control systems. So while the whole incident might seem reminiscent of Stuxnet, the reality doesn’t quite match up to that prior incident. In fact, we don’t know at this time whether they simply had to deal with commodity malware of some sort (though that seems like a stretch), or a reconnaissance attack gathering user data, as the Iranians claimed, or some other scenario.
Side note: this reminds me of the lack of utility of the term “advanced persistent threat”. If we don’t use it as a euphemism for a particular nation-state actor, then clearly we can consider the United States and Israel as APT-type adversaries for Iran, among other potential targets. While Israel continues to talk about a possible kinetic strike on Iranian nuclear facilities despite internal controversy, disabling those same facilities via attacks in the cyber domain has lots of benefits: drastically reduced collateral damage, deniability of a covert operation, and reduced risk of generating empathy for the regime among the Iranian populace.
Recent Congressional hearings convened to discuss whether Iran’s cyber abilities constitute a significant threat to the US. Personally, I consider it highly unlikely that any serious assessments would be unclassified, so these public hearings strike me as a sort of political Kabuki theater as follow-up to previous assessments including Iran as a cyber threat, though those had more meat to them. We have to consider the possibility that this gets so much play due to interest in conflict with Iran by hawkish elements in government and related commercial power structures. The nature of power leads to its active use. Uncharitably, we might say that power is no fun if not wielded, but more realistically that dormant power leads to atrophy.
That doesn’t mean we shouldn’t consider the range of Iranian cyber capability. I don’t have sufficient data or background on Iran to take a real stab at analyzing that1, but we can ask reasonable questions. Can a small isolated nation develop the mindset in personnel required (cf. DPRK)? (Probably so, though it might take more effort and broad collaboration with friendly organizations to get there.)
Consider, too, the nature and value of threat intelligence. The risk reduction for most private organizations stems from potentially attributing attacks to Iran and mapping out indicators of compromise, whether technical, methodological, or otherwise. Preventive controls likely would not change appreciably due to an Iranian threat: we in the US and much of the West in general have all sorts of commercial sanctions against Iran, so we rarely have to consider how to secure transactions and partner networks like we do in the case of Russia, Eastern Europe, China, and similar states. Appropriate governmental groups can also track units or other sponsored actors for possible counter strikes (CNA/CNE), although at this point I’ve ventured out of the scope of speculation where I feel knowledgeable enough to ask good questions.
1: However, you might follow Ali-Reza Anghaie (@packetknife) for a far more informed perspective.