Continue reading the main story

Continue reading the main story




Continue reading the main story
Share This Page

Continue reading the main story


Continue reading the main story


WASHINGTON — In February, a year after the Las Vegas Sands was hit by a devastating cyberattack that ruined many of the computers running its casino and hotel operations, the director of national intelligence, James R. Clapper Jr., publicly told Congress what seemed obvious: Iranian hackers were behind the attack.


Sheldon G. Adelson, the billionaire chief executive of Sands, who is a major supporter of Israel and an ardent opponent of negotiating with Tehran, had suggested an approach to the Iran problem a few months before the attack that no public figure had ever uttered in front of cameras.


Continue reading the main story


Related Coverage



President Hassan Rouhani of Iran in the northern city of Rasht on Wednesday.


Iran Assails U.S. Plan for a Vote in CongressAPRIL 15, 2015





Open Source: Long Before Obama and Iran, Conservatives Compared Reagan to Neville ChamberlainAPRIL 15, 2015





Secretary of State John Kerry walked along Lake Geneva before talks on Iran’s disputed nuclear program.


Document Reveals Growth of Cyberwarfare Between the U.S. and IranFEB. 22, 2015





The computer virus known as Flame as shown by the Russian computer security firm Kaspersky Lab.


Iran Confirms Attack by a Virus That Steals DataMAY 29, 2012





“What I would say is: ‘Listen. You see that desert out there? I want to show you something,’ ” Mr. Adelson said at Yeshiva University in Manhattan in October 2013. He then argued for detonating an American nuclear weapon where it would not “hurt a soul,” except “rattlesnakes and scorpions or whatever,” before adding, “Then you say, ‘See, the next one is in the middle of Tehran.’ ”

Continue reading the main story




simple-guide-nuclear-talks-iran-us-14278


OPEN Graphic


Graphic: A Simple Guide to the Nuclear Negotiations With Iran


Instead, Tehran directed an attack at the desert of Nevada. Now a new study of Iran’s cyberactivities, to be released by Norse, a cybersecurity firm, and the American Enterprise Institute, concludes that beyond the Sands attack, Iran has greatly increased the frequency and skill of its cyberattacks, even while negotiating with world powers over limits on its nuclear capabilities.


“Cyber gives them a usable weapon, in ways nuclear technology does not,” said Frederick W. Kagan, who directs the institute’s Critical Threats Project and is beginning a larger effort to track Iranian cyberactivity. “And it has a degree of plausible deniability that is attractive to many countries.”


Mr. Kagan argues that if sanctions against Iran are suspended under the proposed nuclear accord, Iran will be able to devote the revenue from improved oil exports to cyberweapons. But it is far from clear that that is what Iran would do.


When Mr. Clapper named Iran in the Sands attack, it was one of the few instances in which American intelligence agencies had identified a specific country that it believed was using such attacks for political purposes. The first came in December, when President Obama accused North Korea of launching a cyberattack on Sony Pictures. Other United States officials have said that Iran attacked American banks in retaliation for sanctions and that it destroyed computers at the oil giant Saudi Aramco in retaliation for the close Saudi ties with the United States.

Continue reading the main story


The evidence from the Norse report, along with analyses by American intelligence agencies, strongly suggests that Iran has made much greater use of cyberweapons over the past year, despite international sanctions. The attacks have mostly involved espionage, but a few, like the Sands attack, have been for destructive purposes.


In the report, to be released Friday, Norse — which, like other cybersecurity firms, has an interest in portraying a world of cyberthreats but presumably little incentive in linking them to any particular country — traced thousands of attacks against American targets to hackers inside Iran.

Continue reading the main story


The report, and a similar one from Cylance, another cybersecurity firm, make clear that Iranian hackers are moving from ostentatious cyberattacks in which they deface websites or simply knock them offline to much quieter reconnaissance. In some cases, they appear to be probing for critical infrastructure systems that could provide opportunities for more dangerous and destructive attacks.


But Norse and Cylance differ on the question of whether the Iranian attacks have accelerated in recent months, or whether Tehran may be pulling back during a critical point in the nuclear negotiations.


Norse, which says it maintains thousands of sensors across the Internet to collect intelligence on attackers’ methods, insists that Iranian hackers have shown no signs of letting up. Between January 2014 and last month, the Norse report said, its sensors picked up a 115 percent increase in attacks launched from Iranian Internet protocol, or I.P., addresses. Norse said that its sensors had detected more than 900 attacks, on average, every day in the first half of March.


Cylance came to a different conclusion, at least for Iran’s activities in the past few months, as negotiations have come to a head. Stuart McClure, the chief executive and founder of Cylance, which has been tracking Iranian hacking groups, said that there had been a notable drop in activity over the past few months, and that the groups were now largely quiet.


American intelligence agencies also monitor the groups, but they do not publicly publish assessments of the activity. Classified National Intelligence Estimates over the past five years have identified Russia and China as the United States’ most sophisticated, and prolific, adversaries in cyberspace.


However, American officials have said that Iran and North Korea concern them the most, not for their sophistication, but because their attacks are aimed more at destruction, as was the case with the attack on Sony Pictures. In addition to the Sands attack last year — about which Mr. Clapper gave no detail in public — Iran has been identified as the source of the 2012 attack on Saudi Aramco, in which hackers wiped out data on 30,000 computers, replacing it with an image of a burning American flag.


American intelligence officials say Iran’s most sophisticated hackers are limited in number, but work for both front companies and the government. The officials are concerned that as destructive attacks become more frequent, the temptation will rise to launch attacks on what the government calls “critical infrastructure,” like railways, power grids or water supplies.


Cylance researchers, for example, noted that Iranian hackers were using tools to spy on and potentially shut down critical control systems and computer networks in the United States, as well as in Canada, Israel, Saudi Arabia, the United Arab Emirates and a handful of other countries. Their targets have included a network that connects Marines and civilians across the United States, as well as networks of oil companies and major airlines and airports.

Continue reading the main story

Continue reading the main story


Norse’s researchers also noted attacks from Iran that were directed at so-called Scada systems — short for supervisory control and data acquisition systems — like the kind that the United States and Israel attacked at Iran’s nuclear enrichment center in Natanz, using code that caused about 1,000 centrifuges to self-destruct.


That strike, often referred to as the Stuxnet attack, may have inspired the Iranians to begin a cycle of retaliation, a recently disclosed memo from Edward J. Snowden’s trove of National Security Agency documents indicates. Norse says it saw evidence that Iranian hackers probed the network of Telvent, a company now owned by Schneider Electric that designs software to allow energy companies and power grid operators to control their valves and switches from afar.


The company’s systems were breached by Chinese military hackers in 2012. Two years later, Norse said, it witnessed 62 attacks, in a span of 10 minutes, from an I.P. address in Iran on a Telvent system that provides the foundation for all of the company’s Scada infrastructure.


“This activity,” Norse researchers wrote, “might be interpreted as an Iranian effort to establish cyberbeachheads in crucial U.S. infrastructure systems — malware that is dormant for now but would allow Iran to damage and destroy those systems if it chose to do so later.”




David E. Sanger reported from Washington, and Nicole Perlroth from San Francisco.



A version of this article appears in print on April 16, 2015, on page A11 of the New York edition with the headline: Iran Is Raising Sophistication and Frequency of Cyberattacks, Study Says . Order Reprints| Today's Paper|Subscribe


0 comments

More