News: Iran’s cyber menace: sanctioned, but not stirred

Monday, February 26, 2024

Iran’s cyber menace: sanctioned, but not stirred

Feb 26, 2024

With help from Maggie Miller, John Sakellariadis and Phelim Kine

Driving the day

— Iran's cyber capabilities, once subpar, are now estimated to be backed by 16 intra-governmental intelligence agencies. While sanctions continue piling up, experts warn they may not be enough to deter increasingly sophisticated att-acks on U.S. soil.

HAPPY MONDAY, and welcome to MORNING CYBERSECURITY! All this talk about the AT&T outage being a potential cyberattack made me realize that people really believe “Leave The World Behind” can happen any minute. But think about it, if the internet is gone, where would friends and foes get their daily dose of hot takes in a cyber newsletter? Morning Cyber is forever.

Have any tips or secrets to share with MC? Or thoughts on what we should be covering? Find me on X at @JGedeon1 or email me at jgedeon@politico.com. You can also follow @POLITICOPro and @MorningCybersec on X. Full team contact info is below.

SUBSCRIBE TO GLOBAL PLAYBOOK: Don’t miss out on POLITICO’s Global Playbook, the newsletter taking you inside pivotal discussions at the most influential gatherings in the world, including WEF in Davos, Milken Global in Beverly Hills, to UNGA in NYC and many more. Suzanne Lynch delivers the world's elite and influential moments directly to you. Stay in the global loop. SUBSCRIBE NOW.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

Today's Agenda

Commerce Secretary Gina Raimondo is headed to the Center for Strategic and International Studies to give an update on implementing the CHIPS Act. 11 a.m.

The Commerce Department's National Oceanic and Atmospheric Administration is hosting a virtual meeting to discuss partnerships on emerging ocean technologies like AI and eDNA, and accessible data for research and user needs over the next decade. 1 p.m.

The NIST Cybersecurity Framework, a popular guide for cybersecurity planning, is releasing a major update years in the making with new resources to help organizations manage cyber risk. NIST Director Laurie Locascio will discuss what’s coming in “CSF 2.0” and how it changed the way we assess and implement cybersecurity, at the Aspen Institute. 1:30 p.m.

On the Hill

ADD UP THE SANCTIONS — The Senate is getting set to take a hard look at countering Iran’s “shadow army” and proxy networks at a time when experts are sounding the alarm over Tehran’s rapidly expanding cyber warfare capabilities — and questioning whether more sanctions will truly change the game.

The high-profile session in the Senate Foreign Relations committee on Wednesday comes just weeks after the Biden administration rolled out a new round of sanctions targeting Iran's cyber warfare apparatus, including elements of the powerful Islamic Revolutionary Guard Corps.

But some experts contend the U.S. has already maxed out sanctions leverage against Tehran, and it is unlikely to fundamentally alter its calculation regarding offensive cyber operations targeting the U.S. and its allies.

"The reality is the instrument of sanctions is not deterring the Islamic Republic on not just the cyber front, but across the board," said Alex Vatanka, Iran program director at Washington think tank Middle East Institute. “It’s just not enough.”

Now, senators will debate over how to tackle Iran's extensive proxy networks in the Middle East — which increasingly include a cyber arm that's started taking Westward swings.

“Iran's already the most sanctioned country in the history of the world,” a former State Department official who worked closely on Iran policy, granted anonymity to talk about sensitive policy discussions, told MC. “Yet we keep rolling out these new batches of sanctions. So doesn't that speak to the efficacy of the sanctions?”

— History lesson: Iran’s once subpar capabilities were built up to an advanced level with help from partners like Russia, China and North Korea just over the last 15 years when it realized a security gap following Stuxnet — widely believed to be a joint U.S.-Israeli operation to derail Iran’s nuclear program.

Since then, Iran tends to frame cyberattacks as retaliation, Vatanka said, with cyber superpower Israel a prime target given its long history of pushing back against Iran’s nuclear program and regional ambitions. That includes analysts reporting that Iran uses Persian-language Wikipedia to spread propaganda and disinformation by manipulating editorial teams and content.

Now, Iran is estimated to have around 16 intelligence agencies within its government.

"This is a regime that does engage in careful cost-benefit analysis," Vatanka said. "The idea that rogue Iranian cyberattackers do things because they feel a certain way, on a certain day — I don't believe it."

But those tit-for-tat campaigns take on new life when they spill onto American soil, including the targeting of at least 18 water utility plants in recent months.

— So what *should* be done?: “It's an easy thing to do in Washington on multiple fronts,” the former state official said. “But it's not going to stop the Iranians from doing the things that we don't like that they do.”

Instead, the Biden administration will need to consider more creative deterrence measures, Vatanka said, like building up U.S. cyber defenses or carrying out more offensive cyber strikes.

It’s not like offensive strikes are off the table, either: Three U.S. officials told NBC News that the Biden administration in early February hit an Iranian spy ship with a cyberattack to disrupt intelligence sharing with Houthi rebels (that is now back at sea).

— Food for thought: There are already thousands of sanctions smacking Iran that began to bubble up once the regime was established in 1979, but blacklisted individuals more recently tend to have minimal exposure to the U.S. and Western financial systems.

And remember, a 2021 Cyware report showed that China state-linked hacker group UNC215 has hit Israeli organizations since 2019, pretending to be Iranian while evading detection, in a campaign demonstrating China's interest in Middle Eastern targets that researchers expected to continue against critical infrastructure.

Tehran’s municipal systems are also reportedly still recovering from a major cyberattack that disrupted their websites last June.

FIRST IN MC: SECURE THE VOTE — Reps. Abigail Spanberger (D-Va.) and David Valadao (R-Calif.) are today introducing bipartisan legislation to enhance the cybersecurity of the nation’s voting systems that would mandate vulnerability testing for machines before they can earn federal certification.

The Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing Act — or SECURE IT Act — mirrors a Senate bill from last year spearheaded by Sens. Mark Warner (D-Va.) and Susan Collins (R-Maine) that hit a wall after at least one Republican objection derailed its inclusion in the 2024 National Defense Authorization Act.

“We continue to hear reports of foreign governments, individuals, and companies actively working to influence U.S. elections and subvert our democracy,” Spanberger said in a statement. “The sanctity of our free and fair elections is core to our identity as Americans.”

— How would it look?: Under the duo's bill, the Election Assistance Commission would have to stand up a program allowing vetted researchers to try and penetrate the voting machines' cyber defenses and test how malicious hackers might seek to compromise the vote, as a condition for earning the agency's stamp of approval.

“People need to have confidence in their vote and our elections in order for democracy to succeed,” Valadao said in a statement. “This is an important step to ensure the safety and security of our nation’s elections.”

TIKTOK, MAYBE STOP — Rep. Raja Krishnamoorthi (D-Ill.), ranking member of the House Select Committee on China, tore into TikTok over its handling of Chinese disinformation campaigns targeting Taiwan’s elections, alleging the social media giant dragged its feet in taking down Beijing-linked accounts pushing false narratives.

Krishnamoorthi leveled the criticism at the end of a three-day congressional delegation trip to Taiwan with committee Chair Mike Gallagher (R-Wis.) and other members of the committee.

— In his own words: The lawmaker said the level of Chinese meddling was "pretty tremendous" in the run-up to Taiwan's presidential vote last month, with tactics heavily leveraging TikTok and the Chinese messaging app WeChat to spread disinformation narratives.

“One of the toughest challenges that [Taiwanese officials] had was with apps that are beholden to the [Chinese Communist Party],” Krishnamoorthi said during a call with reporters on Friday. “What ends up happening is they find a bunch of bots and fake accounts, then they report it to TikTok, and when [TikTok] took down those accounts, they took them down after the election.”

— The U.S. solution: Krishnamoorthi contrasted TikTok's response with U.S.-based social media companies, claiming the latter companies were quicker to ax malign accounts.

He said Taiwan still managed to fend off such campaigns "to some degree" thanks to "a significant social media presence," but Beijing's interference blitz was intense — mirroring assessments from experts and Taiwanese officials, which China has denied.

Don’t sleep on it. Get breaking New York policy from POLITICO Pro—the platform that never sleeps—and use our Legislative Tracker to see what’s on the Albany agenda. Learn more.

At the Agencies

NSF 2.0 — The long-awaited update to the National Institute of Standards and Technology's Cybersecurity Framework is finally being released today after a multi-year effort to revamp the influential risk management tool.

— Quick refresher: The original NIST CSF dates back to 2013 and Executive Order 13636, focused on bolstering critical infrastructure protections. But the framework quickly took on an outsized role as a common cybersecurity lingua franca adopted by enterprises across industry.

— What to expect: The new CSF 2.0 aims to elevate the framework for the modern cyberthreat landscape, incorporating real-world lessons from major incidents over the last decade like the rise of ransomware and supply chain attacks.

One core enhancement: the addition of a governance component to better align cybersecurity with an organization's enterprise risk strategy.

"It empowers security shops to have more effective conversations with company boards and those making budget decisions," said Katie Brooks, director of global cyber policy at Aspen Digital. "It provides an effective communication tool to ensure business risk is being assessed holistically."

— The future is now: Other expected updates reflect NIST's mission to create a living, responsive document attuned to the cyberthreat realities facing organizations.

"I'm really optimistic that this is going to change how we talk about cybersecurity and make it more tangible and put us in a better practical spot," Brooks said.

The official rollout kicks off today at 10 a.m.

BYTELINE — The documents revealing the inner workings of a Chinese hacking firm were scrubbed from GitHub on Friday, but not before providing a rare look at how Beijing outsources cyber ops to private contractors.

The 190MB trove of leaked files from Sichuan-based I-Soon appeared on the code-sharing site GitHub two weeks ago, opening a window into the company's hacking activities aimed at foreign governments and dissidents on behalf of Chinese intelligence agencies.

GitHub removed the leak, citing violations of its policies “on doxing and invasion of privacy,” the company shared in a statement to Morning Cyber.

— Aftermath: Despite its short (or long on the Internet) shelf life, researchers were able to dive into the leaked data to show I-Soon breaching targets like Taiwan’s national health services on behalf of China’s domestic intelligence agency.

One particularly eye-catching document is a sales pitch I-Soon made to a Chinese partner in Xinjiang, the region where Beijing has been accused of carrying out a genocide against the Uyghurs. The pitch, one researcher told John, touts I-Soon's infiltrations against counterterrorism targets in nations like Kyrgyzstan to assert its bona fides.

JOINING FORCES — The U.S. 16th Air Force — the main military unit charged with cyber intelligence — on Friday announced a new partnership with the Poland Cyber Command to share knowledge and expertise on threats.

According to the 16th Air Force, Poland has seen five times as many cyberattacks against its critical systems since the Russian invasion of Ukraine in early 2022. The attacks allowed the government to gather threat data on Russian tactics, and the new partnership will allow the Poland Cyber Command to share the data with U.S. forces.

People on the Move

Lt. Gen. Michelle McGuinness is starting as Australia’s national cyber security coordinator today. McGuinness previously served as deputy director of commonwealth integration with the Pentagon’s defense intelligence agency.

Tweet of the Day

LockBit put out a lengthy and unhinged letter discrediting the cyber takedown which shut down its sites, sharing thoughts that it was hacked because the group didn’t update PHP versions on servers.

Our reading of this: LockBit has no clue how they got got, but they are determined to stay operational.

Source: https://twitter.com/ddd1ms/status/1761506256999649685

Quick Bytes

UKRAINE ON FRONT LINE — Ukraine's top cyber official warns Russia's attacks are intensifying, with government hackers now deployed closer to the front lines for easier access to captured Ukrainian technology. Maggie has all the details.

LOCKBIT BACK — Russian ransomware gang LockBit vows to continue operations despite FBI disruption, blaming laziness for the vulnerability exploited in the attack, writes David Perera for Bank Info Security.

A LINK IN HACKS — A U.S. intelligence team in a joint operation with Ukraine tricked a Russian officer into revealing a link between the government and the Fancy Bear hacking group, known for election interference, reports Adam Entous and Michael Schwirtz for the New York Times.

ICYMI — IronNet, a cybersecurity company focused on collective defense through AI-driven solutions, has emerged from Chapter 11 as a private company.

Chat soon.

Stay in touch with the whole team: Joseph Gedeon (jgedeon@politico.com); John Sakellariadis (jsakellariadis@politico.com); Maggie Miller (mmiller@politico.com); and Heidi Vogt (hvogt@politico.com).