ARTICLE December 18 2018 10:00:00 GMT

How Iran's Cyber Game PlanReflects Its Asymmetrical WarStrategy

As discord between the United States and Iran continue to rise in 2019, Tehran will reach deeper into its bagof deadly tricks to counter pressure from Washington. While the huge imbalance of power will restrain Iranfrom engaging in direct military conflict with the United States and its allies, it will retaliate with itsasymmetrical arsenal. These weapons [1] include cyberattacks, terrorism and support for its regional militantallies, and they pose a threat to companies and organizations in the Middle East and beyond. But what ismost notable is how Iran's strategy for handling conflict in cyberspace mirrors its game plan for physicalclashes.

Cyberwarfare and Harassing Skirmishes

worldview.stratfor.com | (512) 744-4300 | worldview@stratfor.comP.O. Box 92529, Austin, TX 78709

PDF created for rcapps42@gmail.com and not intended for redistribution.

S t r a t f o r M

ARTIC

How Iran's Cyber Reflects Its Strate

Cyberwartare and

worldview.stratfor.com I (512) 744-4300 I P.O. Box 92529, Austin,

PDF created for rcapps42@gmail.com and not intended for

December 18

' 3 , ; iIiiii.:-Ira_ - - - _ -I P E - 1 — I ll ' ' ' ' ' ! - -'

___i intrE I:1m ' 1 1 1 1 2 0 1 t 4 r F E 2 - , M I d i l i f t I I ' . ' 4 1 5 ,

Or ' - • • 1 I ' l i r t c; 4,71 4I i r 4 Ti li r i 1 i r 4 - . ' -4-1-1-o-

19 10 i ' l - . 1 I - ' O L 1 , 11 1 r i ' ,

1 ' 1

As discord between the United States and Iran continue to rise in 2019, Tehran will reach deeper into of deadly tricks to counter pressure from Washington. While the huge imbalance of power will from engaging in direct military conflict with the United States and its allies, it will retaliate asymmetrical arsenal. These weapons [11 include cyberattacks, terrorism and support for its allies, and they pose a threat to companies and organizations in the Middle East and beyond. But most notable is how Iran's strategy for handling conflict in cyberspace mirrors its game plan clashe

Stratfor Global Intelligencepage 2/4 How Iran's Cyber Game Plan Reflects Its Asymmetrical War Strategy

Just as Iran is unlikely to challenge the United States in a large-scale military confrontation, it is also unlikelyto wage a direct war on it in cyberspace. The United States is simply too strong in both arenas. A comparisonof the complexity of the malware tools Stuxnet – tied to the United States and Israel — and Shamoon – linkedto Iran — illustrates the difference in capabilities. While the United States is vulnerable to cyberattacks —defense is always more difficult than offense – its overwhelming power could be devastating if unleashedwholesale on Iran.

Despite that reality, both sides will continue preparing for cyberwar. The Iranians, as well as other statecyber adversaries (and some non-state actors), have been conducting surveillance on critical infrastructurein the United States and the West for many years now. And the Americans and their allies have beenconducting similar reconnaissance of Iran’s infrastructure. At the Aspen Security Forum in July 2018, U.S.Director of National Intelligence Dan Coats noted that Iran was making preparations to target electrical grids,water plants, and health care and technology companies in the United States, Europe and the Middle East.

But this surveillance doesn't mean that an attack is certain to follow. In much the same way that countriesmake plans in case of a war, they also prepare for combat in cyberspace by looking for vulnerabilities andpossible pathways for attack. Like any war plan, cyberwar plans must be updated to account for changes inoperating systems and security measures, because vulnerabilities can disappear. This cyberattacksurveillance is reminiscent of how the Iranians and their proxies such as the Hezbollah militant group [2]scrutinize targets and then keep the information handy for "off the shelf" terrorist attacks later.

While a cyberwar remains unlikely, lower-level Iranian attacks against government targets and privatecompanies and organizations are likely to increase. Just this past week, the Italian oil services companySaipem announced that it had been hit in a tailored cyberattack that employed a variant of the Shamoonmalware, indicating an Iranian connection. Saipem's largest client is the national oil company of Iran'sarchrival, Saudi Arabian Oil Co., which is likely why the Italian firm was targeted.

In addition, the London-based cybersecurity firm Certfa, which specializes in tracking Iranian activity incyberspace, published a report Dec. 13 documenting the efforts of "Charming Kitten," an Iranian advancedpersistent threat (APT) group, to launch a phishing attack against the U.S. financial infrastructure. These APTgroups are turning their sights on such targets because of U.S. sanctions and the recent expulsion [3] of Iranfrom SWIFT, the Brussels-based organization that facilitates global financial transactions. (SWIFT stands forthe Society for Worldwide Interbank Financial Telecommunication.)

worldview.stratfor.com | (512) 744-4300 | worldview@stratfor.comP.O. Box 92529, Austin, TX 78709

PDF created for rcapps42@gmail.com and not intended for redistribution.

Stratfor Global page 2/4 H o w Iran's Cyber Game Plan Reflects Its Asymmetrical

Just as Iran is unlikely to challenge the United States in a large-scale military confrontation, it is to wage a direct war on it in cyberspace. The United States is simply too strong in both arenas. of the complexity of the malware tools Stuxnet - tied to the United States and Israel — and Shamoon to Iran — illustrates the difference in capabilities. While the United States is vulnerable to cyberattacks defense is always more difficult than offense - its overwhelming power could be devastating wholesale

Despite that reality, both sides will continue preparing for cyberwar. The Iranians, as well as cyber adversaries (and some non-state actors), have been conducting surveillance on critical in the United States and the West for many years now. And the Americans and their allies conducting similar reconnaissance of Iran's infrastructure. At the Aspen Security Forum in July Director of National Intelligence Dan Coats noted that Iran was making preparations to target water plants, and health care and technology companies in the United States, Europe and the

But this surveillance doesn't mean that an attack is certain to follow. In much the same way make plans in case of a war, they also prepare for combat in cyberspace by looking for possible pathways for attack. Like any war plan, cyberwar plans must be updated to account for operating systems and security measures, because vulnerabilities can disappear. This surveillance is reminiscent of how the Iranians and their proxies such as the Hezbollah militant group scrutinize targets and then keep the information handy for "off the shelf' terrorist

While a cyberwar remains unlikely, lower-level Iranian attacks against government targets companies and organizations are likely to increase. Just this past week, the Italian oil Saipem announced that it had been hit in a tailored cyberattack that employed a variant of malware, indicating an Iranian connection. Saipem's largest client is the national oil company archrival, Saudi Arabian Oil Co., which is likely why the Italian firm

In addition, the London-based cybersecurity firm Certfa, which specializes in tracking Iranian cyberspace, published a report Dec. 13 documenting the efforts of "Charming Kitten," an persistent threat (APT) group, to launch a phishing attack against the U.S. financial infrastructure. groups are turning their sights on such targets because of U.S. sanctions and the recent expulsion [31 from SWIFT, the Brussels-based organization that facilitates global financial transactions. (SWIFT the Society for Worldwide Interbank Financial

worldview.stratfor.com I (512) 744-43001 P.O. Box 92529, Austin,

PDF created for rcapps42@gmail.com and not intended for

Stratfor Global Intelligencepage 3/4 How Iran's Cyber Game Plan Reflects Its Asymmetrical War Strategy

Sending a Message and a ThreatThe Iranians have a history of using detectable physical surveillance of sites that could come under possibleterrorist attacks as a way to send a message — most frequently during times of heightened tension with theUnited States. In such operations, Iran dispatches known members or suspected associates of its IslamicRevolutionary Guard Corps, Ministry of Intelligence and Security, or Hezbollah [4] to conduct not-so-subtlesurveillance of U.S. targets abroad or even in the U.S. homeland itself as a way of flexing its terrorismmuscle. By being seen photographing or videotaping a dam, U.S. electrical substation or embassy abroad,Iran is letting the United States know that Tehran can make retaliatory terrorist strikes on a host ofvulnerable targets if Washington attacks Iran with its superior military power.

worldview.stratfor.com | (512) 744-4300 | worldview@stratfor.comP.O. Box 92529, Austin, TX 78709

PDF created for rcapps42@gmail.com and not intended for redistribution.

page Stratfor Global

How Iran's Cyber Game Plan Reflects Its Asymmetrical

Countries in Iranian Campaig

'31111r.:V P

-

• • Saudi • • United • • • • • •

Source U.S. Department of

• • • • • • • • • •

Iran has targeted dozens of campaigns of cyberespionage and Most of the attacks have been Israel, Saudi Arabia, the United Arab the United

•filtfr..• The • • • • • South • • • • United

Copyright

Sending a Message and The Iranians have a history of using detectable physical surveillance of sites that could come terrorist attacks as a way to send a message — most frequently during times of heightened tension United States. In such operations, Iran dispatches known members or suspected associates of Revolutionary Guard Corps, Ministry of Intelligence and Security, or Hezbollah [41 to conduct not-surveillance of U.S. targets abroad or even in the U.S. homeland itself as a way of flexing muscle. By being seen photographing or videotaping a dam, U.S. electrical substation or Iran is letting the United States know that Tehran can make retaliatory terrorist strikes on a vulnerable targets if Washington attacks Iran with its superior

worldview.stratfor.com I (512) 744-43001 P.O. Box 92529, Austin,

PDF created for rcapps42@gmail.com and not intended for

Stratfor Global Intelligencepage 4/4 How Iran's Cyber Game Plan Reflects Its Asymmetrical War Strategy

This same strategy may also apply to Iranian probes of critical U.S. infrastructure in cyberspace. Thoseactions are useful for planning off-the-shelf attacks, and if (perhaps, more aptly, when) they are detected,they also serve as a way to demonstrate that the Iranians can conduct cyberattacks against crucial systems ifthey become desperate and have little left to lose.

Cyber Proxies and MercenariesIran frequently uses militant proxies such as Hezbollah to do its dirty work and to provide Tehran with adegree of plausible deniability. And just as Iran has provided [5] its regional proxies with weapons as well astraining in terrorist tradecraft, it will continue to supply them with hacking tools and cyberwarfare training.Such support is reflected in the Hamas and Hezbollah campaigns against Israeli military and other targets,and the assistance from Tehran is likely to increase. Using proxies allows the Iranians to pressure regionaland global rivals while masking their involvement.

Besides using proxies, the Iranians — like the Russians and Chinese — can also be expected to employmercenaries as a way to increase their reach and punch in cyberspace. By hiring criminals to design malwareor to launch attacks, Iran can also make it more difficult to trace such attacks back to itself.

Again, while outright cyberwar with Iran is unlikely, Tehran can be expected to escalate itscurrent lower-level operations [6]. Iran has rapidly improved it cyberwarfare capabilities over the past yearand looks to continue that trend in 2019. As it responds to greater U.S. sanctions and other efforts to weakenits government, it will be important not to underestimate those capabilities.

Referenced Content:[1] threat-lens-2019-annual-forecast-excerpt[2] hezbollah-gaming-out-threat-matrix[3] europe-escape-us-shadow-merkel-trump-maas-handelsblatt[4] hezbollah-radical-rational[5] hacking-another-weapon-asymmetrical-arsenal[6] when-it-comes-cyberattacks-iran-plays-odds

worldview.stratfor.com | (512) 744-4300 | worldview@stratfor.comP.O. Box 92529, Austin, TX 78709

PDF created for rcapps42@gmail.com and not intended for redistribution.

Stratfor Global page 4/4 H o w Iran's Cyber Game Plan Reflects Its Asymmetrical

This same strategy may also apply to Iranian probes of critical U.S. infrastructure in actions are useful for planning off-the-shelf attacks, and if (perhaps, more aptly, when) they they also serve as a way to demonstrate that the Iranians can conduct cyberattacks against crucial they become desperate and have little left

Cyber Proxies and Iran frequently uses militant proxies such as Hezbollah to do its dirty work and to provide Tehran degree of plausible deniability. And just as Iran has provided [51 its regional proxies with weapons as training in terrorist tradecraft, it will continue to supply them with hacking tools and Such support is reflected in the Hamas and Hezbollah campaigns against Israeli military and and the assistance from Tehran is likely to increase. Using proxies allows the Iranians to and global rivals while masking their

Besides using proxies, the Iranians — like the Russians and Chinese — can also be expected mercenaries as a way to increase their reach and punch in cyberspace. By hiring criminals to or to launch attacks, Iran can also make it more difficult to trace such attacks back

Again, while outright cyberwar with Iran is unlikely, Tehran can be expected to current lower-level operations [61. Iran has rapidly improved it cyberwarfare capabilities over the and looks to continue that trend in 2019. As it responds to greater U.S. sanctions and other efforts its government, it will be important not to underestimate those

Referenced [1] threat-lens-2019-annual-[2] hezbollah-gaming-out-[3] europe-escape-us-shadow-merkel-trump-maas-[4] hezbollah-[5] hacking-another-weapon-[6] when-it-comes-cyberattacks-iran-

worldview.stratfor.com I (512) 744-4300 1 P.O. Box 92529, Austin,

PDF created for rcapps42@gmail.com and not intended for