Last week, AEI’s Critical Threats Project in partnership with Norse Corporation released, “The growing cyberthreat from Iran: The initial report of Project Pistachio Harvest.” Unsurprisingly for a report with 23,000 words, 100 endnotes and 120 gigabytes of data (check it all out at http://ift.tt/1DY96kp), interest has taken many forms, including praise and criticism. For the praise, thank you to all the insightful readers who appreciated the work and the information. For the more serious critiques, some clarity:
- Innocent port-scans of Norse sensors are not counted as “attacks.” Norse systems filter such port-scans out of the data we used to compile this report. We explicitly note the cases in which we discuss attacks that occurred in the context of firewalking, a less-than-innocent form of port-scanning, and caveat the conclusions in those cases.
- Not port-scans, but systematic efforts: The examples we explored most deeply, included interactions with one or two ports each on hundreds of different Norse sensors. In another case, they were extremely stealthy interactions spread out over a number of different originating IP addresses and hitting a number of different sensors. To put this in the vernacular, many are tempted to glance into open windows, but few actually turn around and walk by another 100 times. And change clothes each time. And bring a camera.
- Yes, Virginia, Iranians are looking for vulnerable industrial control systems: Don’t read what others are saying about the report, read the report itself. Nowhere do we claim that our data show that Iran has attacked industrial control systems or hacked into the network of Telvent, one of the more important providers of such systems. Rather, a Norse sensor emulating such a system received 62 attempts to interact with that system in one burst from an IP address that was not scanning any other ports on the sensor. For reasons we explain in the report at length, we regard such interactions as indications of malign intent.
The basic conclusions in our report are not controversial in the cyber-security community. In December 2014, cyber-security firm Cylance published a report on what it called Operation Cleaver, with a sub-head, “Iran is the new China,” and the bottom-line-up-front: “Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.” (For those who follow these issues carefully, Cylance analysts report that the specific hacker groups they were studying seem to have stood down over the last few months. That is interesting, but not relevant to the larger trend we identify based on our differently-collected data – i.e. that the overall number of attacks from Iran, not just from a given group of hackers, has steadily increased over the past couple of years.)
The 2013 Saffron Rose report by Fireeye also came to a similar conclusion with regard to the single hacking group it examined: “The increased politicization of the Ajax Security Team, and the transition from nuisance defacements to operations against internal dissidents and foreign targets, coincides with moves by Iran aimed at increasing offensive cyber capabilities. While the relationship between actors such as the Ajax Security Team and the Iranian government is unknown, their activities appear to align with Iranian government political objectives.” That conclusion is virtually identical to the conclusion we drew about a different Iranian hacking collective, Ashiyane, except that the European Union officially sanctioned Ashiyane’s leader and announced its conclusion that Ashiyane is, in fact, aligned with Iran’s Islamic Revolutionary Guard Corps.
Finally, for conspiracy-junkies who believe that this report is intended to derail the ongoing nuclear negotiations between the US, others, and Iran… we must ask: Seriously? A long and complex report about Iranian cyber activity…published after the announcement of an agreement on the nuclear deal…after the president said he would sign a bill requiring Congressional approval for a deal…and after the Senate Foreign Relations Committee passed that bill unanimously…that said nothing whatever about the negotiations and made only obvious points about sanctions relief…would have…what? Persuaded the president to call the whole thing off? Made the Iranians walk away from the table? Nuts.
The Islamic Republic of Iran is a dangerous regime engaged in all manner of military build-up. Cyber is part of that build up, a fact the regime itself repeatedly declares. Serious national security and cyber professionals are talking about how to keep Americans safe from it. That’s the conversation we seek to encourage and inform.
Follow AEIdeas on Twitter at @AEIdeas.
from AEI » Latest Content http://ift.tt/1I4gMEM
0 التعليقات:
Post a Comment