Editor’s note: Readers may also be interested in Aaron’s summary of the indictment.
The DOJ indictment of three cyber operators affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC) contains remarkable and unremarkable aspects.
1. Remarkable U.S. government investigative actions
First, the indictment clearly reflects a remarkable investigative effort by the U.S. government and, in all likelihood, allied governmental and non-governmental organizations. To make such detailed allegations and attribute activity to specifically identified actors, investigators had to follow iterative leads, collect large volumes of information, and pierce layer after layer of obfuscation. If human sources were involved, that would mean people put themselves at personal risk to provide information. What’s more, prosecutors working with the investigative team had to find the signal in the noise – the significant bits of information contained within all of that data – to discern chargeable criminal conduct against the alleged perpetrators. That is no easy feat when investigating any conspiracy of online actors, let alone a sophisticated set of operatives backed by a foreign government conducting a years-long covert online campaign.
Note some of the details in the indictment, which echo the indictment of Russian intelligence officers who conspired to interfere in the 2016 presidential election. That indictment, for example, referred to defendants’ physical presence in the “Tower,” a building whose street address in Moscow the indictment listed and which the indictment labeled as a Russian military intelligence facility. The current indictment similarly references the “Malekloo Office” in Tehran as central to the alleged conspiracy and describes the defendants’ presence there. Such details, along with photographs of defendants and details of their backgrounds, demonstrate not only to the grand jury, but to the global audience and the attackers themselves, the long reach of U.S. law enforcement and, presumably, U.S. intelligence services.
2. Remarkable aspects of the Iranian operation
Which brings up the other remarkable aspect of this case. The Iranian operatives, backed by the IRGC (an unconventional internal and external security force of the Iranian revolutionary regime), spent years building personas, establishing infrastructure, and backstopping identities to infiltrate a “supply chain of trust” that gave them access to high-level U.S. government officials, politicians, non-governmental organizations, and, with success, the Trump campaign. To put the time frame in perspective, the operation began two months before COVID was declared a pandemic. (It is alleged to have been motivated, in part, “to avenge the death of Qasem Soleimani” in January 2020, a fact mentioned four times in the indictment.) The operation continued, step by step, to plausibly impersonate individuals that operational targets trusted – for example, by creating online personas of people who were in their contacts list. From there, the indictment lays out how the operatives used cybercrime techniques to conduct a sophisticated intelligence operation and possibly aid in a real-world attack in retaliation for the U.S. killing of Soleimani. The operatives strategically obfuscated their location, compromised new targets, stole diplomatic and political information, conducted “online reconnaissance” of potential targets of physical attack, maintained “long-term, persistent access” to victims accounts, while conducting a psychological operation against the American public. This was not three guys in a basement.
All that said, the technical components of the operation individually are not as novel as some reports described (see more on that below). It was, however, a well-resourced, well thought through, tenacious endeavor that we should expect of American adversaries.
So what was unremarkable or more normal, as these things go?
3. The continuing threat from foreign governments and the U.S. government response
First, the American public may have grown desensitized to the steady drumbeat of press releases from the Justice Department’s National Security Division and the FBI’s Cyber Division regarding disruptions of foreign governments’ malicious cyber operations. There is extraordinary talent behind these investigations, operations, indictments, and prosecutions, so readers should not yawn when they read the new indictment. They should be alerted to the growing, multifaceted, and imminent threat.
4. Unremarkably nonpartisan U.S. law enforcement
Also unremarkable, or routine, is the non-partisan, non-political nature of the investigation, the indictment, and the unsealing. Anyone who thinks that federal law enforcement officers and prosecutors are “weaponized” political tools should take a look at this indictment. It tells the story of the attackers and the victims, without shying away from where the evidence led – including an allegation that one goal of the IRGC was to undermine the Trump campaign.
One question the indictment does not address is Iranian operatives’ attempts to access accounts of individuals associated with the Biden-Harris Campaign. “The FBI and U.S. intelligence agencies concluded last month that Iran was responsible for recent attempted hacks into both the Trump and the Biden-Harris presidential campaigns” but “they did not see evidence that the efforts to penetrate the email accounts of Biden advisers were successful,” the Washington Post reported yesterday. Last month, Google’s Threat Analysis Group issued a report that APT42, an Iranian state-sponsored cyber espionage group, has attempted to hack both the Biden and Trump Campaigns. The indictment includes a list of the operatives’ failed and successful hacking attempts, the latter including the Trump Campaign. But the former does not include any mention of the Biden-Harris Campaign. That said, there is often a discrepancy between media reports involving unnamed sources and the actual facts of a criminal investigation. There are also times when malicious behavior is known to take place but criminal charges remain unavailable, for example due to evidentiary issues. And of course we do not know what prosecutors may still be working on.
5. Unremarkable cybercrime techniques
Everyone should pay attention to the other unremarkable component of this indictment: the techniques that the Iranian operatives used to carry out their attacks. While most people will not be targeted by a multi-year intelligence operation run by one of the most dangerous nations on Earth (although see this new advisory concerning Iranian targeting), the IRGC-backed operatives used a complicated combination of techniques that are commonplace in cyber crime.
Everyone can learn from this indictment about how everyday cybercriminals operate and how everyday potential victims can protect themselves. And everyone can learn why they may be a target. You may not have a lot of money. You may not be a Chief Executive Officer, diplomat, holder of trade secrets, or writer of corporate checks. You may not consider yourself to be particularly important. You may be right. But someone trusts you. And if someone trusts you, you are part of a supply chain of trust. You represent access. You can be used or impersonated to get to the ultimate target.
In a cyber operation, sometimes all an attacker needs to do to gain a foothold is establish sufficient trust to induce a target to click a link, which appears to be what happened, over and over again, in the operation described in the indictment. After that, an attacker is not only able to load malware and steal information from that target. The attacker can adopt the real account of the victim and send messages from that account. In the “normal” cybercrime world, this is known as a Business Email Compromise (BEC) or Email Account Compromise (EAC). BEC can be a very effective technique, because it leverages trust and relationships that already exist between the initially compromised victims and follow-on targets. An operative can spend time learning how to craft messages that are consistent with usual communication patterns, and when the time is right, can elicit information from a target, direct that target to send information or payment to a fraudulent recipient, or send that target a link or attachment with a malicious payload, giving the operative access to the target’s accounts and devices.
The indictment alleges that the IRGC-backed operatives used Virtual Private Networks (VPNs) and Virtual Private Servers (VPSs) to conceal their location by, for example, replacing their true Internet Protocol (IP) address with new ones corresponding to non-Iranian locations. VPNs and VPSs are readily commercially available. The actors created “doppelganger” email or social media accounts that contained names of real, specific people. That is not difficult, especially as domains and communications services proliferate, and recipients are often tricked into thinking that messages from such addresses are authentic. Misrepresenting location and identity establishes the initial trust relationship that enables further “social engineering” (exploiting human psychology, rather than technical hacking techniques), such as inducing the target to log in to an account or otherwise provide money,login credentials, or other information (such as one of the victim’s passport information, in the Iranian operation).
Taking on the identity of a real person – and being able to access their communications, financial, and other accounts – is a big win for any cyber criminal. Because of weaknesses inherent in relying on just a username and password to authenticate that an individual is who they say they are (and can thereby access their account), we are often encouraged to use two-factor authentication (2FA) or multi-factor authentication (MFA) – for example, by entering a code sent by text message or generated by an app. And we should do so (although not all methods are created equal). But the Iranian operatives used an emerging technique that cybercriminals use to defeat MFA – they apparently deployed fake login pages to collect not only a username and password, but also the code or other additional factor used to confirm a user’s identity.
The indictment also describes more technical aspects of the operation, such as using cloud-based services to host malware, registering fraudulent domains (in other words, web pages) using false identities, and other methods for the operatives to represent themselves as other people, trick targets into exposing themselves to malware, using malware and deception to silently take over computers and accounts, steal information, and compromise new victims. The important take-away here is that the IRGC did not invent any of these methods. These methods have been developed, tested, and refined in the global laboratory of cybercrime. The operation described in the indictment is a complex deployment of a combination of techniques. Those techniques are not novel, and everyone – governments, businesses, and regular people – may be targeted by them.
In many respects, the Indictment is a signal. It sends a message to would-be hackers: The U.S. government, and others, can track you down to your home address and know exactly who you are. And it sends a message to would-be victims: understand the threat and learn how to minimize or avoid it.