Did Iran Launch a Cyberattack Against the US? Probably Not, New Report Says

It's not really a cyberattack if you don't damage, disrupt or steal.

Apr 27 2015, 4:25pm

​Image: ​The Preiser Project/Flickr

Obama's historic nuclear deal with Iran has divided the American political system. But it has also created opportunities for at least one cyber security firm to score some dubious points with conservative politicians, think tanks and commentators pushing for more hawkish policies towards Iran.

A report last week from the threat intelligence firm Norse and the right-wing American Enterprise Institute (AEI) accused Iran of preparing and conducting "sophisticated cyberattacks" against American industrial control systems—the computers that govern critical infrastructure, such as power plants and traffic grids.

The whitepaper was widely circulated in the media last week, with reporters at Fox claiming that the recent nuclear deal empowered Iran's "cyber-terror army"—a suggestion that the brokering of a successful nuclear deal had given Iran the latitude to pursue an aggressive campaign of cyber warfare.

But others believe that Norse and the AEI's claims might be overblown.

According to researchers from the SANS Institute on Cyber Security, evidence contained within the Norse and AEI whitepaper is only valid if you accept what the SANS Institute believes are dubious methods of accusing Iran, and generous definitions of "sophisticated" and "attack."

SANS Institute authors Robert M. Lee, Michael J. Assante and Tim Conway called out the AEI report in a report of their own published last Friday, arguing that the "cyberattacks" characterized in "Operation Pistachio Harvest," are actually far more benign than described.

Rather, the attacks described by Norse are actually networks scans, which are often conducted by militaries, academics, hackers and private corporations to map the Internet. For example, network scans were used by Bell Labs in 1998 to map cyberspace to improve the way Internet traffic is routed between geographic locations, and network scans have been used by academics at the University of Toronto to trace how Canadian data is routed into the United States through their IXmaps project. These and many other scanning projects are hardly cyber attacks, but they are profoundly useful for understanding the hidden geography of the Internet.

Nor are the networks scans Norse and the AEI have attributed to Iran particularly sophisticated; according to the SANS report, the scans do not demonstrate any ingenious ways of finding vulnerabilities in computer networks, much less critical infrastructure systems. Rather, software used to perform these scans is publicly available for download by many different authors.

The researchers from SANS note that these scans are more like reconnaissance than an actual attack—and while reconnaissance might find some security vulnerabilities, this kind of analysis alone is not traditionally categorized as a cyber attack.

Even the Norse report admits that such scans "do not necessarily harm the target machine but, rather, represent an early-stage effort to develop a compromised cyberinfrastructure from which to conduct future attacks of another variety."

Finally there is the tricky issue of attribution—of actually accusing Iran of perpetrating these "attacks." Norse and the AEI have accused Iran primarily because the network scans appear to originate from Iranian IP addresses, and the report goes to great lengths to justify why this is the most likely explanation. But at the same time, hiding behind fake IP addresses is standard operating procedure for any competent hacker, and as the SANS report points out, these addresses alone are hardly grounds for accurate attribution as accepted by the wider cybersecurity community.

In an email conversation one of the authors of the SANS report, Robert M. Lee suggested that the Norse/AEI report was rushed, writing that the "narrative of the Iranian cyber attacks was created before the data showed it." While Lee was recalcitrant to attribute a specific motive to Norse and AEI's whitepaper, he felt that with the recent "negotiations, the narrative of the rising threat, and the desire to showcase something important or high level to grab attention all played a part. It made for great headlines."

The critique of Norse/AEI's work by researchers at SANS is indicative of a language problem over how to define and describe attacks in the cyber security industry. In their critique the SANS authors point out that "Norse is identifying each individual network scan as a cyber attack."

"There are some differing definitions on what constitutes an attack in the community," the report continues, "but under no definition is a scan considered an attack."

Most definitions seem to reinforce SANS's position. Because a scan does not damage or disrupt a computer system, or steal private data it cannot be considered an attack—a criterion that the Norse/AEI report does not satisfy in their descriptions of these attacks.