Iran-backed cyber attackers taking aim at Australia

The Australian – November 21, 2018

Australian shipbuilder and defence contractor Austal last month had a breach of its systems and a subsequent extortion attempt. 

The perpetrators have not been identified but sources say the attack emanated from the Middle East. The ABC reported that, according to the Australian Cyber Security Centre, an Iranian group was most likely responsible.

While Australia has yet to be targeted by more substantial Iranian cyber-attacks against infrastructure and financial institutions, like the US or Saudi Arabia, it has been the victim of several “independent” hacking groups that operate as fronts for the cybercrime of Iran’s Islamic Revolutionary Guards Corps and intelligence agencies.

One of these Iranian front groups, known as Cobalt Dickens, was reported recently to be behind attempts to hack into Australian universities and databases to steal secret research as part of a global operation targeting universities in almost every Australian city. According to Alex Tilley, a senior researcher at cyber­security firm SecureWorks, the pattern fits attacks by Cobalt Dickens.

A similar and far more expansive operation by the Mabna Institute, an IRGC front for stealing academic credentials and research, targeted up to 26 Australian universities between 2013 and last year. The US charged nine Iranians involved in the operation, claiming they stole more than 31 terabytes of data from about 150 universities and dozens of companies and government agencies in the US, and login credentials for thousands of academics from more than 300 academic institutions across 22 countries. The stolen data is valued in the billions of dollars.

News agency Reuters recently uncovered Iran’s ability to interfere in election processes. Like Russia, which has used organised networks of bots and trolls to try to influence elections in the US, Europe, and on a smaller level, Australia, Iran has been running influence operations via its International Union of Virtual Media for years.

Using dozens of websites, YouTube accounts and hundreds of social media profiles across multiple platforms, the IUVM laundered pro-Iran talking points through “alternative” media channels in at least 11 languages.

Facebook, Twitter and Google have been working to remove traces of the IUVM on their platforms. Google has built on the investigative work of cybersecurity firms FireEye and ClearSky to identify actors linked to the Islamic Republic of Iran Broadcasting amplifying Iranian propaganda.

As a vital member of the Five Eyes signals intelligence alliance and a strong partner of both the US and Israel, Australia should be prepared to also deal with the more dangerous end of Iran’s offensive cyber capacity.

Although China is Australia’s most immediate concern in cyberspace, Iran has the capabilities to pose a threat should it choose to do so. Former prime minister Malcolm Turnbull specifically cited Iranian attacks in his speech announcing the opening of a national cybersecurity centre in order to avoid a “perfect cyber storm”.

A recent investigation into the intelligence fiasco between 2009 and 2013 that ended in the murder of dozens of CIA informants and the roll-up of US intelligence networks in China, revealed the compromise actually began in Iran, and the two countries may have co-operated.

High-level officials from Russia, China and Iran were discussing cyber issues at the time, which some US intel officials believe was the beginnings of an anti-Five Eyes alliance between the three. Germany’s domestic intelligence agency, BfV, this year reported a sharp rise in Iranian cyber attacks against the country, putting Iran on the same level as China and Russia as the most persistent cyber threat. “Iran’s cyber activities have been the most consequential, costly and aggressive in the history of the internet, more so than Russia,” a former national intelligence manager for Iran at the US Office of the Director of National Intelligence said.

In 2013, hackers linked to Iran by the cybersecurity firm Cylance penetrated the networks of US power producer Calpine Corps and stole enough information to disrupt the energy grid and shut down power plants. Beginning in 2011, hackers working for two Iranian security companies launched co-ordinated attacks against the US financial system. One gained access to the server controlling a dam in New York. They didn’t take control of the dam but they did damage the computer systems. Iran was also suspected of cyber attacks against the Saudi oil giant Aramco between 2012 and this year. Australia also has troops stationed in Iraq and Afghanistan operating near Iranian proxies, whose cyber capabilities have also drastically increased with Iranian assistance, and who could be used to endanger Australians. Iran may be more commonly known for its sponsorship of terrorism and the illegal pursuit of nuclear weapons, but its expanding and destructive role as a potent cyber threat to the West must be addressed.

Oved Lobel is a policy analyst at the Australia/Israel & Jewish Affairs Council.