Last week the American Enterprise Institute (AEI) and the Norse Corporation released a report entitled, “The Growing Cyber Threat from Iran: The Initial Report of Project Pistachio Harvest”, a product of five years of tracking Iranian cyberattacks against the West. The report identifies three primary areas of concern:
- Iran’s escalated investment in cyber technology and training, to the tune of a 1200% spending increase over two years;
- Iran’s expanded offensive cyber abilities;
- Iran’s use of Western technology and businesses to conduct attacks.
The report received extensive media coverage last week, including a feature story in The New York Times. Its findings were also the subject of criticism by several cybersecurity experts; see these articles by Robert M. Lee and Jeffrey Carr. But I wanted to focus on two notable findings of the report: (a) Iran’s investment in universities to enhance its cyber capabilities and (b) its use of western businesses to support cyber attacks.
As the report notes, the Iranian regime has invested large amounts of capital in building IT and other scientific infrastructure at its premier educational institutions, in return for the ability to direct research in ways that further regime objectives. Iran’s large university system benefits from extensive state funding and is intertwined with its state security services. Universities such as Sharif University of Technology, Shahid Beheshti University and the IRGC-affiliated Malek Ashtar University have undergone dramatic changes in focus from supporting nuclear development to building up its cyber cadre. The increased investment in training and education (and Iran’s telecommunications infrastructure) supports both defensive and offensive cyber operations.
The report also discusses how Iran uses businesses in the west to conduct cyber attacks. Ashiyane Digital Security Team is a commercial cyber security firm that also works for the Iranian government. Its technical support and discussion forum is hosted on a server in Ohio (XLHost.com), along with a number of other websites registered to Kamalian, according to the AEI/Norse report. In fact investigations revealed that much of Ashiyane’s online infrastructure is hosted in the United States.
Ashiyane’s home page, forum group, training home page, upload site, and e-magazine are hosted by CloudFlare Inc., a San Francisco company founded for the purpose of helping defend against malicious actors exactly like Ashiyane. It is quite likely, therefore, that CloudFlare was not complicit in facilitating (and presumably receiving payment from) this EU-sanctioned and IRGC-associated hacking collective.
Hosting Ashiyane and providing them access to this technology may violate current UN sanctions. It may violate international sanctions regarding technology transfers to Iran. U.S. companies could be providing Iran access to hardware, software, and Cloud services. If so, this accelerates Iran’s cyber-attack capability without their having to invest in building out the infrastructure. They can simply lease what they need.
The recent Executive Order, “Blocking the Property of Certain Persons Engaging in Significant Malicious Cyber Enable Activities,” may be useful in countering Iran’s use of western businesses for its cyber capabilities. But it is far from complete. We need to identify how U.S. business may be helping (knowingly or unknowingly), what technologies we can use to protect our nation, and the degree to which we can fight back.
Geoff Hancock is the CEO of Advanced Cybersecurity Group and a new senior fellow with the GW Center for Cyber and Homeland Security.