Sands Casino Iran
Iran is considered one of Washington’s primary adversaries in cyberspace, and has shown a willingness to go after government and civilian targets. When the Sands Casino in Las Vegas was. A senior US official has admitted that the first ever destructive cyber-attack on an American firm by a nation state last year was carried out by Iranian operatives against the Las Vegas Sands casino group.
- Before that, in 2014, the nation levied a cyberattack on the Las Vegas Sands casino. 'Iran has nearly-unlimited resources compared with an IOU or public power utility.'
- Las Vegas Sands, the casino empire founded and controlled by billionaire Sheldon Adelson, has first-hand experience in dealing with an irate Iran. Iran is allegedly preparing retaliation against.
By Catherine A. Theohary*
Threat Evolution
Iran’s use of cyberspace has evolved from an internalmeans of information control and repression to moreaggressive attacks on foreign targets. The regime has beendeveloping its own cybersecurity software and internetarchitecture in order to protect and insulate its networks,and it has been developing technological cyber expertise asa form of asymmetric warfare against a superiorconventional U.S. military.
Sands Casino Reno Buffet
Iran also has a history of using cyberattacks in retaliationagainst the United States. In 2010, a computer worm knownas Stuxnet was discovered by cybersecurity researchers tohave infiltrated the computers that controlled nuclearcentrifuges in Iran, causing physical damage and preventingoperation. The Stuxnet worm was reported to have been ajoint effort between the governments of the United Statesand Israel. Following the discovery of the Stuxnet malware,U.S. assets experienced an increase in the severity andduration of cyberattacks originating in Iran.
Recent events have heightened interest in Iran’s currentcyberattack capability with respect to U.S. vulnerabilities.
Iranian Cyber Organization
Since the advent of the Stuxnet worm, Iran has beeninvesting resources in developing its own cyber forces andorganizations. Some of these entities reside within thegovernment and military, while others appear to operatemore independently. Some focus more on defensivecapabilities but may operate in concert with military unitsconducting offensive operations. The information belowdraws from unclassified sources.
Government Entities
Iran Cyber Police. A law enforcement unit, the CyberPolice is responsible for tackling what it considers internetcrimes. To this end, the unit monitors online activity withinIran, including infiltrating websites and email accounts ofpolitical dissidents.
Ministry of Intelligence and Security (MOIS). Similar tothe U.S. National Security Agency, MOIS is responsible forsignals intelligence and collecting information fromelectronic communications.
Supreme Council of Cyberspace. Also known as the HighCouncil of Cyberspace, this body coordinates cyberspacepolicy for the Iranian government and coordinates betweenoffensive and defensive cyber operations.
National Cyberspace Center (NCC). An entity of the Supreme Council of Cyberspace, the NCC is largely concerned with information content and development of internal internet security controls. The NCC is also tasked with “preparing for a cultural war” between Iran and its enemies, according to the 2013 NCC Statute issued by Iran.
Islamic Revolutionary Guard Corps (IRGC). A branchof the Iranian Armed Forces, this military force overseesoffensive cyber activities.
IRGC Electronic Warfare and Cyber DefenceOrganization. This organization provides training coursesin cyber defenses and denies access to and censors onlinecontent and communications.
Basij Cyber Council. Considered a paramilitary force,Basij comprises nonprofessionals, using volunteer hackersunder IRGC specialist supervision. These volunteers aresometimes referred to as “cyber war commandos.”
National Passive Defense Organization (NPDO). Formedfor infrastructure protection, one of the NPDO’s main rolesaccording to analysts is to use “all national cyber and non-cyber resources to deter, prevent, deny, identify, andeffectively counter any cyberattack against … Iran’snational infrastructure by either hostile foreign states or[domestic] groups supported by them.”
Cyber Defence Command. Also known as CyberHeadquarters in the Iranian military, this group conductsoffensive cyber operations along with the Basij CyberCouncil. The command may have been created as acorollary to the U.S. Cyber Command.
Proxies
Iran has been known to employ proxies to conduct cyberoperations. These range from either patriotic or financiallymotivated individual hackers, to private sector contractorsand quasi-governmental organizations. Given the amount ofcontrol that the Iranian regime exercises over the internetactivity of its citizenry, one may assume that while theactions of individuals may not be state-directed, it is almostcertainly state tolerated or even encouraged. The use ofproxies also allows the regime to maintain plausibledeniability for the attacks, thereby avoiding escalation.However, readily identifiable signatures in the computercode suggest that the Iranian government endeavors to takethe credit for attacks on foreign entities as a demonstrationof ability.
Mabna Institute. A group of private sector contractors that conduct computer intrusion, wire fraud, and data theft at the behest of the government of the Islamic Republic of Iran and the IRGC.
Iranian Cyber Army. IT specialists and professionalhackers. The Cyber Army has not been directly linked tothe IRGC, but Iranian government officials refer to using itto hack “enemy sites,” diverting internet traffic, andhacking into foreign media sites and social mediaplatforms.
Cyberattack Methods
Since at least 2012, Iranian cyberattacks have beenadvancing from simple website defacements to denial ofservice and other disruptive or destructive forms of attack.These include distributed denial of service (DDOS) attacksthat prevent access to target websites and more destructiveattacks that destroy data or disable computers entirely.
Website Defacement. Cyberattacks that manipulate dataand images on a website or redirect traffic to a newwebpage.
Data Breach and Theft. Intrusions into computer systemsthat allow extraction of large amounts of otherwiseprotected data.
Denial of Service. Cyberattacks that flood a computer ornetwork with traffic, rendering it inaccessible to users.
Destructive Attacks. Cyberattacks that destroyapplications and computers within a target network withdamage that could possibly equal that of a kinetic attack.An example is a “wiper” attack, where an infectedcomputer hard drive is overwritten or cleared of data.
Iran-Attributed Incidents
Saudi Aramco. In 2012, wiper malware known asShamoon damaged computers and delayed oil productionafter targeting Saudi Aramco and other energy companiesin the Middle East. U.S. government officials linked theattack to Iran.
Sands Casino, Las Vegas. In 2014, destructive attacksaccessed and destroyed data on the network of the SandsHotel and Casino, owned by a political donor seen as pro-Israel and anti-Iran. The U.S. Director of NationalIntelligence attributed this attack to the Iranian governmentin a Statement for the Record to the House PermanentSelect Committee on Intelligence.
U.S. Banks. From 2011 to 2013, DDOS attacks in whichbanks’ websites, including Bank of America and WellsFargo, were overwhelmed with internet traffic, preventingcustomer access for a period of time. In March 2016, theU.S. Department of Justice indicted seven Iranian actorscontracted by the IRGC who were said to have cost thebanks millions of dollars in remediation.
Twitter and Facebook. In 2009, Twitter web traffic was redirected to a page for a group claiming to be the Iranian Cyber Army. In 2018, Twitter announced that it had removed 2,617 Iranian accounts that were engaging in “malicious activity.” In May 2019, Facebook stated that it had removed Iranian-linked Facebook accounts, pages, and groups as well as Instagram accounts. While much of this activity involved trolling and other influence operations, social media platforms could also be used to coordinate cyberattacks.
Rye, New York Dam. In 2013, an Iranian employed by acompany contracted by the IRGC was able to accessremotely the supervisory control and data acquisition(SCADA) systems of the Bowman Dam in Rye, NY. Thisgave access to information regarding the status andoperation of the dam, possibly compromising itsfunctioning. The Iranian was indicted by the U.S.Department of Justice in 2016.
Cyber Data Theft Ring. From approximately 2013 to2017, cyber thieves associated with the Mabna Institutetargeted intellectual property and other data from 144 U.S.universities, the U.S. Department of Labor, the FederalEnergy Regulatory Commission, the State of Hawaii, andthe State of Indiana, as well as companies and organizationsoutside the United States. The Department of Justiceindicted nine Iranians for these incidents in 2018.
While there are many reports of Iran’s increasinglysophisticated cyberattack capability, previous incidents alsocan be attributed to poor security controls of the targets.However, discovery of sophisticated malware such asStuxnet could allow for reverse engineering, giving Iran itsown destructive capability.
Possible Iranian Cyber Response to Recent U.S. Action
On June 22, 2019, Christopher C. Krebs, Director of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), issued a statement that “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies…. Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money.” On January 2, 2020, the day IRGC major general Qassem Soleimani was killed in a U.S. air strike at Baghdad International Airport, Krebs linked back to this statement on his social media account.
On January 4, the DHS National Terrorism AdvisorySystem issued a bulletin warning that “Iran maintains arobust cyber program and can execute cyberattacks againstthe United States. Iran is capable, at a minimum, ofcarrying out attacks with temporary disruptive effectsagainst critical infrastructure in the United States.” Thebulletin warned of the potential for cyber retaliation inresponse to the U.S. military strike in Baghdad. Also on thisday, hackers claiming to represent the Islamic Republic ofIran hacked and defaced several U.S. websites. CISArepresentatives did not confirm that this attack wassponsored by the Iranian government.
In the days following the death of Soleimani, the U.S. Selective Service System website was disabled due to high volumes of web traffic. Random U.S. citizens had been receiving text messages that indicated a draft had been reinstated for an imminent war in Iran. The origin of these text messages is unknown.
Sands Casino Renovation
*About the author: Catherine A. Theohary, Specialist in National Security Policy, Cyber and Information Operations
Sands Casino Reno Nevada
Source: This article was published by Congressional Research Service (PDF)