WASHINGTON — On Thursday evening, U.S. Cyber Command launched a retaliatory digital strike against an Iranian spy group that supported last week’s limpet mine attacks on commercial ships, according to two former intelligence officials.
The group, which has ties to the Iranian Revolutionary Guard Corps, has over the past several years digitally tracked and targeted military and civilian ships passing through the economically important Strait of Hormuz, through which pass 17.4 million barrels of oil per day. Those capabilities, which have advanced over time, enabled attacks on vessels in the region for several years.
Though sources declined to provide any further details of the retaliatory cyber operation, the response highlights how the Persian Gulf has become a staging ground for escalating digital — as well as conventional — conflict, with both the United States and Iran trying to get the upper hand with cyber capabilities.
The retaliatory cyber response follows several weeks of mounting tension in the region, which appeared set to boil over after last week’s attacks on two oil tankers in the Gulf. U.S. officials blamed Iran for the attacks and threatened to strike back if U.S. interests in the region were harmed. Then, on Thursday, Iranians shot down a $240 million U.S. military drone.
In response, President Trump initially authorized — but then decided against — targeted military strikes on Thursday night. He said in a series of tweets Friday morning that he pulled back before any missiles were launched when he learned 150 Iranians might die.
Meanwhile, multiple private U.S. cyber intelligence firms have reported attempts by Iranian hackers in recent weeks to infiltrate American organizations. U.S. officials told the Wall Street Journal they fear heightened escalations not only in physical space but in cyberspace as well.
The National Security Council declined to comment on the Iranian cyber group or the U.S. Cyber Command response. The National Security Agency, U.S. Central Command and the Navy all directed Yahoo News to U.S. Cyber Command for comment. Cyber Command did not immediately respond to a request for comment. Heather Babb, a Pentagon spokeswoman, told Yahoo News that “as a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning.”
Iran’s cyber capabilities are not the most sophisticated, at least compared to the United States’, but they are getting better. Tehran’s ability to gather information and unleash offensive operations has developed significantly in the last decade or so, particularly after Iranian centrifuges at the Natanz uranium enrichment plant were struck by a malicious computer worm created by U.S. and Israeli intelligence and first revealed in 2010.
“After the Stuxnet event, Iran really cranked up its capability,” said Gary Brown, who served as the first senior legal counsel for U.S. Cyber Command and is currently a professor on cyber law at the National Defense University. Brown cited Iran’s cyberattacks on global financial institutions, Saudi Aramco and the Sands Casino. While unfamiliar with current activities, Brown told Yahoo News that Cyber Command has long been interested in Iranian cyber capabilities and “undoubtedly they’re continuing to track them.”
The Persian Gulf and the Strait of Hormuz, the narrow bodies of water separating Iran from the United Arab Emirates and Bahrain, which is home to the U.S. Navy’s 5th Fleet, are obvious intelligence targets for Iran.
“Frankly it’s going to be standard ops for them to track who’s going in and out of the Gulf, to track all U.S. and allied warships going through, whether it’s the aircraft carriers or whatever, they’re going to track that very, very closely,” said retired Army Maj. Gen. Mark Quantock, who was Central Command’s director of intelligence from 2016 to 2017.
How Iran managed to gather that information, given its lack of traditional military resources, at least compared to the West, has been relatively creative. In recent years, according to John Hultquist, the director of intelligence for threat intelligence firm FireEye, Iranian cyberspies have targeted U.S. Navy sailors, particularly those in the 5th Fleet, to gather information.
One method those operators used was to assume false personas on social media for “honey-potting” or catfishing operations. “They use social media to look for vulnerable sailors on ships … our Navy ships and probably other people’s navy ships too,” said James Lewis, a cyber expert at the Washington, D.C.-based Center for Strategic and International Studies.
The Iranians would pretend to be attractive young women looking to connect with a “lonely seaman” to gather intelligence about ship movements, according to three former U.S. intelligence officials familiar with the operations. The attempts weren’t limited to Facebook; some of the efforts extended to Pinterest and other niche social networking sites.
There were “many” successful examples of these Iranian cyber honey-pot operations, said one former intelligence official. “They were doing it at scale.”
Naval personnel would divulge information of various levels of sensitivity — such as when and where they were traveling — while ignorant of the true identity of their interlocutors, said the former official. In addition to helping the Iranians track the movement of U.S. ships and personnel, these operations also helped them build out organizational charts of U.S. military units, the former official said.
Iran’s targeting efforts in this area became notably more sophisticated in recent years, according to the former intelligence official. Cruder past efforts — featuring profile pictures of women in bikinis, who would immediately ask U.S. military personnel for information on when they were coming to port — gave way to a subtler, more time-consuming approach. The Iranians employed pictures of attractive, but fully clothed, women who would strike up online conversations with American servicemen over weeks, developing the fictitious relationships in order to nudge them into volunteering the desired intelligence.
“There was a pretty substantial campaign going all the way up to [U.S. Navy] leadership at one point,” said Hultquist. FireEye has analyzed one Iranian group it calls Newscaster that has frequently used fake social media profiles to gather information and has been tied to at least one destructive attack, he told Yahoo News.
The Department of Justice revealed a similar Iranian intelligence-gathering method in its recent indictment against former Air Force Special Agent and counterintelligence officer Monica Witt, who defected to Iran in August 2013.
After Witt defected, Iranian officers targeted current and former U.S. government officials using “fictitious and imposter personas” created on Facebook and through email, according to the indictment. Improvements to Iran’s targeting programs over social media coincided roughly with Witt’s defection, and her insights into U.S. practices almost certainly helped catalyze some of these changes, said two former officials.
However, social media was not the only method the cyberspies used to keep track of ships in the region. For example,they would track U.S. naval movements in the region by hacking into ship-tracking websites as well, according to one former intelligence officer.
Iranian intelligence officers are also capable of hijacking digital systems used in drones, and potentially even in ships, to spoof the GPS location of the device and plug in false coordinates. “They’ve been thinking a lot about drone capture because we’ve been flying drones over them for years,” said Lewis.
In 2011, Iran claimed to have achieved this capability and said it redirected an American drone to Iran’s shores. Two former intelligence officials confirmed Iran is capable of doing this and noted that this tactic could be useful in fooling a ship’s automatic tracking system.
Iran collects intelligence on ships passing through the Strait of Hormuz not just to identify their locations, but also to enable attacks, if necessary, according to multiple former intelligence officials. “If I have tactical information about when that ship is coming, I can launch a rocket attack,” said a former intelligence official.
Iran’s cyber operatives facilitated intelligence gathering used in multiple ship attacks over the past several years, including in 2017, when Houthi rebels attached bombs to remote-controlled boats targeting vessels belonging to the UAE and Saudi Arabia, according to multiple former intelligence officials interviewed by Yahoo News.
For Iran, projecting strength into the Strait and keeping a close eye on maritime targets is of utmost importance.
“It doesn’t entirely surprise [me] to find out that there’s yet another way in which Iran is trying to find ways to flex its muscles, in particular regarding shipping in the Gulf,” said Matthew Levitt, director of the counterterrorism program at the Washington Institute for Near East Policy.
“Iran is trying to respond to the U.S. maximum pressure campaign, in particular, now that still tougher measures have been taken to constrict the amount of oil Iran is able to ship and the amount of money it can get for it.”