Ex-cyber officials: Iran may change aggressive policies until licks wounds

Iran has acknowledged that at least the explosion at Natanz was likely an attack.

A handout satellite image shows a closeup view of a building damaged by fire at the Natanz nuclear facility in Natanz, Iran July 8, 2020. (photo credit: REUTERS)
A handout satellite image shows a closeup view of a building damaged by fire at the Natanz nuclear facility in Natanz, Iran July 8, 2020.
(photo credit: REUTERS)
The six explosions Iran experienced in recent weeks may be looked back on as a major inflection point in the nuclear standoff between the ayatollahs and the US, Israel and the Saudis.
It will be some time before we get clarity about who did it and how effective the explosions were in slowing Iran’s path to a nuclear bomb or altering its aggressive policy in general.
But The Jerusalem Post spoke to a number of former cyber intelligence officials in Israel and the US, with two going extensively on record about how an insider would understand the recent week’s events.
Both former IDF cyber intelligence official Yaron Rosen and former US Air Force cyber intelligence official Jeff Bardin, each of whom now also heads highly successful private cyber companies, revealed to the Post deeper perspectives on the issues under debate and which could frame the region’s future.
Retired brigadier-general Rosen, the president of Toka, an IDC Herzliya-ICT senior fellow and former chief of the IDF cyber staff, said that while much of the world is giving Iran extra attention now, the explosions are likely part of “an ongoing campaign” between Tehran and its adversaries.
Iran has acknowledged that at least the explosion at Natanz was likely an attack.
It has not admitted yet whether the other explosions were attacks, sufficing with early amorphous statements about gas leaks.
Addressing who might be behind the explosions – if they were attacks – Rosen said, “it is fair to say that some of this may be a result of cyber operations which were planned in advance by someone, and executed upon the right strategic moment in order to persuade or coerce Iran in many ways.”
In other words, while many analysts have talked about the Israel-Iran April-May cyber exchange over Israel’s water sector and Iran’s Shahid Rajaee Port - attributed to Israel - as the context for these explosions, cyber sabotage may have been injected into the Islamic Republic’s systems months or years ago, waiting for the right moment.
“Knowing how these things are planned and operated, if they were conducted through cyberspace…if conducted by the US or someone or Israel – it was planned in advance. This is not something which you can just say ‘let me press this red button and it will work,’” said Rosen.
The former cyber intelligence official said some of these attacks would be part of “a multiyear plan, making it a sustainable plan. In cyberspace, you must invest a lot on many avenues. You have to have a very, very high level of intelligence and an operations team which continuously monitors the way the network is operated.
“Only superpowers in cyberspace can invest this type of investment,” citing the US and Israel as having the capability. He dismissed the idea that an Iranian dissident group like the one that claimed credit for some of the attacks – the Homeland Cheetahs – could pull off attacks of this breadth without a major power’s support.
He said hacktivists from such smaller groups “might be capable of DDOS [distributed denial-of-service attack] or defacing… these are shallow and do not cost so much,” but that for these attacks, they could not do them alone.
The scope of the destruction means that “this is not just servers needing to be replaced. Not just DDOS, but tomorrow it will be fine,” noting the attacks “have caused quite a lot of destruction.”
Rosen also said the recent “infrastructure attacks might be a blend. Cyber operations can be an independent operation, but can also be assisting in kinetic operations,” giving a nod to reports that airstrikes or saboteurs with explosives on the ground may have been involved.
There are a few reasons to think that the explosions might have been caused by physical forces, and not solely cyber forces without a blend.
“Satellite imagery suggests some of this might have been kinetic and might be connected to Iranian opposition groups,” he said.
But he also explained that because the Islamic Republic’s infrastructure is so old, it could actually be harder to pull off a cyber operation in some cases than a physical one.
“Maybe some of it, the electricity at the power plans… are connected” to a hackable network, “but there are many air gaps” – meaning portions of the infrastructure that are disconnected from any outside network.
He stated that “bridging these air gaps is quite a complex operational scheme to plan,” which could involve gathering vast intelligence to map out what is networked and what is not, then coming up with a tailored plan to bridge each air gap and then having to send a team on the ground to effectuate the bridging.
Regarding the Saudis, he pointed out that their oil industry was not only hit by Iran in September 2019, but also likely in 2012 and 2017 when state oil giant Saudi Aramco was hacked.
Though he said it was unclear whether the Saudis had the cyber capabilities to pull off the current round of attacks, they definitely had the motivation, and “it might just be easier for the Saudis to pay opposition groups to execute a physical attack.”
A HUGE question has been how the Iranians will react – both in terms of whether they will retaliate and whether the explosions have been effective in pushing Tehran to change some of its policies.
To answer these questions, we need to know if the Iranians even know who hit them.
Sure, in public, some of their officials have slammed the US and Israel as the usual suspects.
But do they really know whether it was the US, Israel, the Saudis or whoever the Homeland Cheetahs are?
After all, at least until around 2015, even US and Israeli cyber officials said attributing cyberattacks by nation states could be impossible.
However, that has changed over the last few years.
Are Iran’s cyber capabilities able to cut through potential elaborate cyber schemes to shield who attacked?
Rosen said: “I would not disregard in any way the Iranian capability. They may over the long term have the capability to attribute. But you don’t always say the attribution… you choose the time and place and the other side will know or not know if it’s you [responding].”
In terms of policy, Rosen predicted that with “everyone pushing so many buttons, coercing them to change their behavior… they might change some of their priorities in the short term in order to survive.”
Rosen’s Toka firm “develops groundbreaking intelligence gathering technologies that empower law enforcement and intelligence agencies,” which gives him a continuing insider perspective on the issues.
Regarding the overall impact on Iran, nuclear experts are careful to point out that Iran’s low-level enriched uranium stock – enough for one to two nuclear bombs if weaponized – was not touched.
But former Mossad chief of analysis Sima Shine has said the real pain for Iran is that its future nuclear capabilities and platforms for projecting threats and power have been significantly harmed.
FORMER US cyber official Jeff Bardin is currently chief intelligence officer of Treadstone 71, a cyber intelligence company that advises Middle East organizations and multinational corporations.
Like Rosen, he suggests that kinetic attacks were at least involved alongside cyber or that the attacks might have been overwhelmingly physical attacks.
Bardin told the Post that, “UF6 [feedstock for centrifuge machines that enrich uranium] is not flammable, nor combustible and that it is highly toxic and it changes to vapors when mixed with water.”
His hypothesis was the operational goal was “create an explosion to destroy the new centrifuges as much as possible… start a fire and the fire must be put out with water. White vapor clouds would have been present yet hard to see at night when the explosion occurred. The likelihood of a cyberattack seems low in this case based on the massive explosion, yet not ruled out.”
In contrast, Bardin said that his belief, based on insider experience but not any insider evidence, “that a cyberattack would have exposed the capabilities of the perpetrator to the point that other embedded malware or areas within Iran would be discovered. Once you execute a cyberattack, the tracks can be followed.”
He said the only exception to that rule would be if “you can trigger an explosion to destroy the [cyber footprint] tracks at least locally.”
However, he did not give Tehran quite the same credit as Rosen regarding the ability to attribute a nation-state-level cyberattack.
He said Iran could not attribute “on the same scale” as the US and Israel “although they are getting better. I just do not see the technical capabilities to perform the same level of attribution. Sanctions and limitations on technology transfers limit how fast they can improve, yet – the West continues to sell into Iran.”
The former US cyber intelligence official said whoever the attacker was wanted the world to know about the incident.
“You cannot hide the explosions, so yes. This reflects poorly on Iranian leadership, regardless of the reasons,” saying internal technical mistakes would mean incompetence and external cyberattacks would mean “you cannot protect us after all your promises to the contrary.”
If there were external kinetic attacks, Iranians will ask: “How did they get past all our defenses whether aircraft or boots on the ground?”
Another point he flagged was, “This is a supply chain disruption of very visible proportions… to destroy, disrupt and delay weapons production” both on the nuclear and conventional planes.
He identified the sites that have been hit as harming Iran in the areas of: nuclear warheads and associated missiles, uranium enrichment, reduction/removal of enrichment technology (new centrifuges and the like), reduction/removal of enrichment ingredients (UF6), academics and/or technology used (the Sina site gas explosion) and hitting the Darkhovin nuclear power plant regarding the Ahvaz power plant fire.
Bardin speculated that the Homeland Cheetahs “could be an MEK [People’s Mujahedin of Iran, which calls for the overthrow of Iran’s clerical leaders] for boots on the ground supported by Israeli and US intelligence for physical activities. This plays into the same game Iran plays with proxies. Get a proxy to do the work, [have it] come out with a statement claiming responsibility, and then deny.”
At the same time, he pointed out that, “the Cheetahs have not popped back up since the initial statements. My bet would be a joint US-Israeli action.”
Also, Bardin suggested that the regime needs someone to blame – “This to me, means someone like MEK or the Homeland Cheetahs, who could be their own made-up group,” though he cautioned the picture is still ambiguous.
Bardin said if the Islamic Republic responded, “against US interests, this will bolster [US President Donald] Trump to respond and enhance his base, giving him greater approval. I do not believe they want this.
“They may have to ‘eat crow’ for a bit and understand that when you throw a stone at the Israelis, they respond with multiple boulders... If they complain too loudly about their nuclear facilities, the IAEA [International Atomic Energy Agency] will want access to learn more. They will have to provide evidence – of sensitive areas.”
Not that he expects complete silence from Iran, stating, “They may increase some cyber activities such as disinformation and media manipulation.”
He has also previously warned that Iran may now be using reverse-engineered versions of the Stuxnet malware code against its adversaries, that cyber retaliation is more viable than other retaliation during the pandemic and that the regime is sometimes “aggressive and reckless in cyberspace.”
Moreover, he has said that a series of cyber exchanges between Iran and its adversaries, even if Tehran loses short term, can serve the purpose of “forcing Israel to show its hand. Iran will learn from Israel’s counterattacks in order to shore up its own digital defenses and gauge Israel’s offensive capabilities.”
The picture is still hazy.
Yet, in addition to both former cyber intelligence officials agreeing that a powerful nation-state was behind at least some of the explosions and wanted the world to know about it, they both agreed that Iran suffered a real blow.
While the regime cannot be expected to turn the other cheek, the officials agreed that Iran may be deterred from a full retaliation and may even change some of its aggressive policies for some period of time until it has had a chance to lick its wounds.