In June of 2011, someone broke into the computer networks of a Dutch company called DigiNotar. Inside the networks the hacker generated and stole hundreds of digital certificates—electronic credentials that Internet browsers must receive from network servers as proof of a Web site’s identity before encrypted data can flow back and forth between a computer and the site. Digital certificates had been stolen before but never in such quantity. Whoever was behind the DigiNotar hack could have broken into other networks and used the stolen certificates to intercept Web traffic anywhere and to conduct surveillance on anyone. They could have stolen information worth millions of dollars or unearthed the secrets of some of the world’s most powerful people. But instead, for two months, the hackers who controlled DigiNotar’s certificates, apparently in Iran, conducted “man in the middle” attacks on Iranian connections to and from sites including Google, Microsoft, Facebook, Skype, Twitter, and—notably—Tor, which provides anonymizing software that many dissidents in Iran have used to elude state surveillance. The hackers were intent on intercepting the e-mails, passwords, and files of ordinary Iranians.
A 21-year-old in Tehran who goes by the name of Comodohacker took responsibility for the DigiNotar breach. In an online posting, he claimed the hack was revenge for an episode in the Balkan wars when Dutch soldiers surrendered Muslims to Serb militias; the Muslims were summarily executed. But the scale and focus of this event—in one month alone, 300,000 people in Iran who connected to Google were vulnerable to hacking via stolen DigiNotar certificates—led many to believe that the Iranian government had engineered the DigiNotar breach itself, using Comodohacker as camouflage. One analyst who spent months investigating the event scoffs at the young man’s claim of responsibility. “Twenty-one-year-old hackers are the new stealth,” he says—meaning that militaries use hackers to hide their operations the same way they use advanced design to hide bombers. (After details of the DigiNotar hack were made public, the company went bankrupt.)
The U.S. began cultivating cyber-capabilities as an adjunct to its diplomatic, intelligence, and military operations. Iran’s initial impetus was to suppress domestic dissent, especially in the wake of the 2009 Green Revolution protests, when citizens took to the streets to dispute the re-election of President Mahmoud Ahmadinejad. But ever since the Stuxnet attack, Iran has been enhancing its cyber-warfare capability. Public remarks by government leaders in March 2011 indicated that the Iranian Revolutionary Guard had created a cyber unit to coordinate offensive attacks on “enemy sites.” In March 2012, Ayatollah Ali Khamenei established the High Council of Cyberspace; reportedly, Iran is spending $1 billion on building cyber-capabilities.
Asymmetric warfare—unconventional, guerrilla-style attacks on more powerful adversaries, such as the U.S.—is a cornerstone of Iranian military doctrine. The Revolutionary Guard has ties to terrorist organizations and to prominent hacker groups both in Iran and around the world. Iran may be receiving support for its cyber-operations not only from Russia but also from China and the terrorist network Hezbollah. A top hacker with many well-placed friends in the U.S. government says, “I hear Iran pays Russian guys millions to do the attacks, and the guys are living high, flying in prostitutes from all over.” Who told him this? “Nobody who would talk to you,” he says. Other dramatic but plausible speculation abounds. One high-level Lebanese political operative believes that the Revolutionary Guard runs its cyber-operations from a six-story underground bunker in a Hezbollah-controlled neighborhood of Beirut called Haret Hreik. Lebanon’s absence of any laws against cyber-crime or hacking would make it an appealing launching pad for operations. “Consider how Iran uses Hezbollah as a platform for many critical activities,” the Lebanese operative notes. “We say, ‘Lebanon is the lungs through which Iran breathes.’ Iran wouldn’t breathe these attacks with its own lungs. They need a way to answer Stuxnet without having to answer for what they are doing. Hezbollah is the way.”
As recently as February of 2012, U.S. defense officials privately dismissed Iran’s cyber-warfare efforts as trifling. By August, many had come to believe that the aramco hack showed that Iran was learning fast. In essence, the aramco attack was a mirror image of what had happened when Wiper shut down Kharg Island. Before aramco, Kharg had been the only major cyber-attack on record whose goal was to annihilate data rather than to steal or alter it. The worm that struck aramco, named Shamoon (a word found in the program, the Arabic version of the proper name Simon), adopted this same tactic. Kaspersky believes that Shamoon was a copycat, inspired by the Kharg Island hack. In its attack technique, if not in its actual code, Shamoon anticipates the well-known boomerang effect in weaponry: adaptation and re-deployment of a weapon against the country that first launched it.
Two weeks after the aramco attack, Qatar’s state-owned natural-gas company, RasGas, was also hit by malware. Unconfirmed reports say that the cyber-weapon used was also Shamoon. Qatar, home to three U.S. military bases, is among America’s closest allies in the Middle East and, therefore, another convenient proxy target.
During the second week of September 2012, a new spate of cyber-attacks against American interests began. This time, the targets were on American soil: U.S. banks. A previously unknown group calling itself the Izz ad-Din al-Qassam Cyber Fighters and presenting itself as an organization of Sunni jihadists made an online posting written in broken English, referring to an anti-Islamic video on YouTube called “Innocence of Muslims” that had sparked riots in the Muslim world the week before. The posting stated that “Muslims must do whatever is necessary to stop spreading this movie All the Muslim youths who are active in the Cyber world will attack to American and Zionist Web bases as much as needed such that they say that they are sorry about that insult.”
If Qassam really were a Sunni jihadist group, then Iran, a predominantly Shiite nation, would hardly have been involved. But the jihadist flavoring appears to be a false flag. As one U.S. intelligence analyst points out, none of the language used in Qassam’s public communication bears any resemblance to the standard language of jihadist groups. There was no trace of Qassam’s formation in any Sunni, jihadist, or al-Qaeda online forums. And the name Qassam itself refers to a Muslim cleric who has significance for Palestinians and Hamas but not for jihadists. “Everything is wrong,” this analyst says. “It looks manufactured.”
Qassam announced that it would inundate Bank of America and the New York Stock Exchange with distributed-denial-of-service (DDoS) attacks. Such attacks seek to crash a Web site or induce the failure of a computer network by making an overwhelming number of requests for connections. Qassam proceeded to expand its targets to include many more banks, including SunTrust, Regions Financial, Webster Financial Corporation, JPMorgan Chase, CitiGroup, Wells Fargo, U.S. Bancorp, Capital One, PNC, Fifth Third Bank, HSBC, and BB&T. Qassam knocked at least five of these banks’ Web sites off-line, though most of the banks have said that no money or information was stolen. In October, PNC bank C.E.O. James Rohr stated that “we had the longest attack of all the banks” and warned that “cyber-attacks are a very real, living thing, and if we think we are safe that way, we’re just kidding ourselves.” Shortly afterward, the attacks on PNC escalated, causing further problems. Neither Rohr nor any other high-level executive of any victim bank has since made any such conspicuous and pointed statement. “The lesson from Rohr’s statement was, don’t talk,” says one former national-security official.
As an attack technique, DDoS is primitive, and the impact is usually evanescent. But the difference between Qassam’s DDoS and previous attacks was like the difference between a crowded parking lot at the mall and a full-on, road-rage-inducing L.A. traffic jam on Memorial Day weekend. Qassam’s DDoS was especially effective—and, for its victims, especially damaging—because it hijacked entire data centers full of servers to do its work, generating 10 times more traffic than the largest hacktivist DDoS previously recorded. (That was Operation Avenge Assange, launched by Anonymous in defense of Wikileaks, in December 2010.)
To absorb the gargantuan volume of traffic coming their way, banks had to buy more bandwidth, which telecommunication companies had to create and provide. Telecoms have borne the brunt of these battles, just as the banks have, spending large sums to expand their networks, and to strengthen or replace hardware associated with their “scrubber” services, which absorb DDoS traffic. Qassam’s first wave of attacks was so intense that it reportedly broke the scrubbers of one of this country’s largest and best-known telecom companies. In December, AT&T executive director of technology security Michael Singer reportedly stated that the attacks posed a growing threat to the telecommunications infrastructure, and that the company’s chief security officer, Ed Amoroso, had reached out to government and peer companies to collaborate in defending against the attacks. Neither Amoroso nor any of his peers have provided specific information about the damage done or the exact cost to telecom companies. (Amoroso declined to comment.)
Qassam Cyber Fighters, like Comodohacker and the Cutting Sword of Justice, launched attacks that were technically unsophisticated enough that they could have been executed by any talented hacktivist or criminal group. But the context, timing, techniques, and targets of Qassam’s DDoS all but implicate Iran or its allies. The unpublished research of one cyber-security analyst provides some concrete though circumstantial evidence connecting the bank attacks to Iran. A few weeks prior to the start of the attacks, in September, several individual hackers in Tehran and an Iranian hacker living in New York bragged of having created the same kind of attack tools that Qassam would use. The hackers made postings online offering those tools for sale or rent. The postings were then mysteriously deleted. A hacker in Iran who appeared to be the prime mover in this group goes by the name of Mormoroth. Some of the information concerning these attack tools was posted to his blog; the blog has since disappeared. His Facebook page includes pictures of himself and his hacker friends in swaggering poses reminiscent of Reservoir Dogs. Also on Facebook, his hacking group’s page bears the slogan “Security is like sex, once you’re penetrated, you’re fucked.”
Communications from Qassam have been traced to a server in Russia that had only once previously been used for illicit activity. This might indicate that Qassam’s attacks were planned with greater care and deliberateness than is typical of hacktivist or criminal intrusions, which usually come from servers where illicit activity is common. This I.P. address, however, like almost all tracebacks of Web traffic, could easily have been faked. Whoever they are, the Qassam Cyber Fighters have a sense of humor. Some of the computers they leveraged for use in the bank attacks were located inside the U.S. Department of Homeland Security.
Critically, two other things distinguish Qassam, according to an analyst who works for several victim banks. First, each time the banks and Internet-service providers figure out how to block the attacks, the attackers find a way around the shields. “Adaptation is atypical,” he says, and it may indicate that Qassam has the resources and support more often associated with state-sponsored hackers than with hacktivists. Second, the attacks appear to have no criminal motive, such as fraud or robbery, suggesting that Qassam may be interested more in making headlines than in causing truly meaningful harm. The researcher points out that, for all the hassle and financial damage Qassam has caused its victims, its main accomplishment has been to make news pointing up American weakness in the cyber realm at a time when the U.S. wants to demonstrate strength.
The U.S. banking leadership is said to be extremely unhappy at being stuck with the cost of remediation—which in the case of one specific bank amounts to well over $10 million. The banks view such costs as, effectively, an unlegislated tax in support of U.S. covert activities against Iran. The banks “want help turning [the DDoS] off, and the U.S. government is really struggling with how to do that. It’s all brand-new ground,” says a former national-security official. And banks are not the only organizations that are paying the price. As its waves of attacks continue, Qassam has targeted more banks (not only in the U.S., but also in Europe and Asia) as well as brokerages, credit-card companies, and D.N.S. servers that are part of the Internet’s physical backbone.
For a major bank, $10 million is a drop in the bucket. But bank executives, and current and former government officials, see the recent attacks as shots across the bow: demonstrations of power and a portent of what might come next. One former C.I.A. officer says of the conflict thus far, “It’s like the fingernail full of coke, to show that you’re dealing with the real thing.” Of the bank attacks in particular, a former national-security official says, “If you’re sitting in the White House and you can’t see that as a message, I think you’re deaf, dumb, and blind.”
Another hack, which occurred even as the bank attacks continued through the spring, delivered a still more dramatic financial threat, although its ultimate source was difficult to discern. On April 23, the Twitter account of the Associated Press sent this message: “Breaking: Two Explosions in the White House and Barack Obama Is Injured.” Faced with this news, the Dow Jones Industrial Average dropped 150 points—the equivalent of $136 billion in value—within a matter of minutes. Upon learning that the information was false—and that the A.P.’s Twitter account had simply been hacked—the markets rebounded. A group calling itself the Syrian Electronic Army (S.E.A.) claimed credit for the disruption.
But did the S.E.A. act alone? Previously, the S.E.A. had hacked the Twitter accounts of several other news organizations, including the BBC, Al Jazeera, NPR, and CBS. But none of its hacks had taken aim at, or caused any collateral damage to, the U.S. financial system. That distinction had previously belonged only to the Qassam Cyber Fighters, who, as noted, likely have Iranian ties.
One Middle Eastern cyber-analyst in London has said that “there are strong indications that members of [S.E.A.] are trained by Iranian experts.” And an American analyst pointed out that the A.P. hack—which used information warfare to cause financial damage—not only resembles Qassam’s technique but also mirrors Iran’s own perception of what the U.S. has done to the Islamic Republic. (Last year, before Qassam began its attacks on the banks, state-run Iranian media asserted that the U.S. had driven Iran’s currency to the brink of collapse by telling lies about Iran.) At this point, there’s no solid evidence that Iran was party to the A.P. hack, but among the list of plausible scenarios, none is comforting. Perhaps, with Iran’s help or urging, the S.E.A. continued Qassam’s experimentation with threats on the U.S. financial system. Perhaps the S.E.A. learned from Qassam’s bank attacks and launched an independent operation on the same model. Or perhaps whoever hacked the A.P. had no financial outcome in mind at all—it was just a $136 billion aftershock.