Why Iran Is a Scaredy Cat Cyber Chicken

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Sandfly Security .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

US authorities and security firms have spent the last few weeks pumping out non-stop warnings about an increased threat of Iranian cyber attacks targeting US critical infrastructure. At the time of writing these attacks have not materialised. Given the US has already dropped very real bombs, we think Iran has good reason to avoid escalatory cyber attacks.

Disruptive cyber attacks can be useful because they cause harm and they are also hard to stop or deter. Iranian groups have carried out these kinds of irritating attacks in the past. But there's a caveat. These types of attacks are useful and worthwhile before bickering between states escalates to armed conflict.

Back in December 2023, for example, an Iran-linked group calling itself the Cyber Av3ngers disrupted water facilities across the US by hacking Israeli-made Unitronics programmable logic controllers . These devices are important because they are used to control and monitor operations at water processing plants. Still, in this case, the incidents were annoying rather than destructive or disastrous. 

In response, the US government sanctioned senior officials that it said were responsible at the Iranian government's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC). 

At the time of the hacks, we wrote :

There is an argument here that a robust response is needed to try to deter hackers from meddling with US critical infrastructure. In this case, however, the hacking is akin to digital graffiti and is not reported to have had any serious impacts.

A military response to these hacks would have been an overreaction. Hence, a few months later, the US government dropped sanctions, not bombs. 

That ability to cause adversaries some pain without triggering a military response is part of the appeal of cyber operations. A Google report examining Iranian cyber operations against Israel described them as "tools of first resort" because they provide: 

…a lower-cost, lower-risk way for rivals to engage in conflict, gather information, disrupt daily life, and shape public perceptions — all while still remaining below the line of direct confrontation.

The recent US strike against Iranian nuclear facilities makes it clear that military action in response to any serious hack of US critical infrastructure is very much on the table. Iranian hackers will have to wonder if that "line of direct confrontation" even exists any more, let alone whether they can stay under it.  

President Trump posted on Truth Social "ANY RETALIATION BY IRAN AGAINST THE UNITED STATES OF AMERICA WILL BE MET WITH FORCE FAR GREATER THAN WHAT WAS WITNESSED TONIGHT." 

So far, at least, it seems Iranian groups are treating Trump's post as a credible threat. It is in ALL-CAPS after all. At the time of writing, we've only seen one notable cyber-related incident. A persona named Robert has threatened to leak emails stolen from Trump's associates. Robert leaked emails to journalists in the final months of the 2024 presidential campaign and a US Department of Justice indictment alleges that three Iranians working for the IRGC were responsible for that incident.

These types of hack-and-leak operations are very unlikely to elicit a military response, so it makes sense this is where Iran's cyber efforts are focussed for now.

Universal Surveillance Is Here and the FBI Just Don't Care

A new report from the Department of Justice Office of Inspector General (OIG) has laid bare the FBI's lacklustre efforts to adapt to the rise of what it calls Ubiquitous Technical Surveillance (UTS). It found the agency isn't doing enough to protect its operations from this rising threat, and worse, the FBI just doesn't seem to care.  

The FBI defines UTS as "the widespread collection of data and application of analytic methodologies for the purpose of connecting people to things, events, or locations".

One striking example of the impact of UTS on the Bureau's work describes how its operations were compromised by a Mexican drug cartel:

In 2018, while the FBI was working on the "El Chapo" drug cartel case, an individual connected to the cartel contacted an FBI case agent. This individual said that the cartel had hired a "hacker" who offered a menu of services related to exploiting mobile phones and other electronic devices. According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified "people of interest" for the cartel, including the FBI Assistant Legal Attaché (ALAT), and then was able to use the ALAT's mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT's phone. According to the FBI, the hacker also used Mexico City's camera system to follow the ALAT through the city and identify people the ALAT met with. According to the case agent, the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses.

At first glance, this is real movie-hacking stuff. 

But the report doesn't go into detail about the specific techniques used by the "hacker". They may easily have been unsophisticated from a cyber perspective. For example, a Vice report from late 2023 says Mexican criminals were relying on corrupt officials to access a law enforcement platform to obtain phone call records and locations.

Internet-connected cameras are also easily compromised, and they have been widely hacked in the Russia-Ukraine war, the Israel-Iran war , and by Hamas to collect intelligence in preparation for its October 7 attack against Israel.  

The OIG's report notes that:

Although the risks posed by UTS to the FBl's criminal and national security operations have been longstanding, recent advances in commercially available technologies have made it easier than ever for less-sophisticated nations and criminal enterprises to identify and exploit vulnerabilities created by UTS.

The El Chapo incident occurred in Mexico, but UTS is a risk everywhere. In 2021, for example, a Catholic substack publication used notionally anonymous app data to identify an American priest as a Grindr user. In 2024, researchers used smartphone geolocation data to find devices associated with the US Securities and Exchange Commission, and track visits to the headquarters of publicly traded firms. 

The FBI isn't the only national security agency that has struggled with UTS. Officials from the CIA told the OIG that the threat was "existential" for the organisation. 

A Washington Post article from May described the challenge the CIA faces while operating in China: 

Beijing alone is believed to have more than 1 million CCTV cameras. One former U.S. official who recently visited the city said there were so many cameras on the street it felt like being in a TV studio. The cameras are often paired with sophisticated facial recognition programs that can simultaneously track millions of individuals.

Incriminating data can live forever online, said Glenn Chafetz, a former CIA officer who served as the agency's first chief of tradecraft and operational technology. A hostile intelligence service such as China’s could discover days, or even months, later that a traitor in its ranks had met with a CIA officer by running big data feeds from cameras across the country through sophisticated artificial intelligence filters. "You have to be perfect now, in order to be clandestine ... perfect forever, before any op, during the op and forever after," Chafetz said.

While the CIA and FBI both face the same UTS challenge, there is a clear difference in care factor between the two agencies. The CIA actually believes that tackling UTS is important, because it's accustomed to operating in hostile environments. Ensuring the safety of its sources is a prerequisite for its long-term success. Screwing up and getting agents arrested or killed would drastically reduce the chances of successfully recruiting future spies. 

Former CIA Director William Burns created a UTS Center to tackle the challenge of widespread surveillance, although the puzzle remains unsolved, former agency officials told The Washington Post .

By contrast, the FBI typically operates domestically where it is top dog and hasn't historically faced the same surveillance concerns that the CIA does. The overriding impression the OIG report leaves us is that the FBI is approaching the challenge of UTS as a box-ticking exercise. While former Director Wray described UTS as a "Tier 1 enterprise risk" and ordered an internal review, a 2023 red team produced a gap analysis document that was shockingly brief. 

The OIG described the document as "a single page of high-level, generalised vulnerabilities" and that it "contained no details, explanations or analysis". The entire redacted gap analysis is reproduced below. 

That red team gap analysis became the basis of an FBI draft mitigation plan. The OIG's assessment of this plan is damning:

… the resultant OIC-led [Office of Integrity and Compliance] Red Team and the gap analysis it performed appeared to identify only high-level gaps in the FBl's policy and training, potentially leaving unaddressed many UTS vulnerabilities to the FBl's personnel, investigations, and operations. Because the Red Team's subsequent draft mitigation plan was based on its gap analysis, we have corresponding concerns about that plan. We also have an independent concern about whether the draft mitigation plan will result in any mechanism at the FBI that will better position it to respond to the evolving UTS threat in the future…

That's one hell of a bureaucratic burn.

The newly released OIG report makes four very reasonable recommendations: do a better job of clearly identifying UTS vulnerabilities, devise a plan to address them, identify people to carry out said plan and ensure the right people get the training they need. 

It's not rocket science! 

The FBI's response when given a draft version of the OIG's report was telling: it "did not agree or disagree with our [OIG's] recommendations". 

Care factor: Zero.

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Cyber insurance premiums down: Premiums in 2024 declined by 2.3% compared to the year prior, but insurers still remain profitable. If you are optimistic, this could signal that cyber incidents are becoming less damaging and/or less frequent. Another possible explanation, though, is that large businesses with a good security track record are confident enough to self-insure and therefore aren't paying premiums. We're not sure, but at least premiums aren't going up. Cybersecurity Dive has further coverage . 
2. US cracks down on North Korean laptop farms: The US Department of Justice this week announced actions it had taken to crack down on North Korea's fraudulent IT worker scam . These include an arrest, two indictments and the searches of 29 suspected laptop farms across 16 states. The Record has further coverage .
3. Making Windows more resilient: Microsoft has announced a range of measures to make Windows more resilient. These include making Windows more secure, making it easier and quicker to recover from crashes, and getting anti-virus companies to commit to specified safe deployment practices.  

Sponsor Section

In this Risky Bulletin sponsor interview, Craig Rowland, CEO of Sandfly Security, talks to Tom Uren about the disconnect between how important Linux systems are and how much security attention they get. The pair discuss the variety of reasons that security teams underinvest in protecting Linux.

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq talk about how Microsoft has embraced digital sovereignty and is bending over backwards to satisfy European tech supply chain concerns. 

Or watch it on YouTube!

From Risky Bulletin :

US sanctions another Russian bulletproof hosting provider: The US Treasury Department has sanctioned the Aeza Group, a well-known provider of bulletproof web hosting services for malware, disinformation campaigns, and dark web marketplaces.

Sanctions were levied on the main company, three subsidiaries, its three owners, and a fourth high-ranking executive. 

Officials have linked Aeza Group's server infrastructure to the Lumma, Meduza, and RedLine infostealers, the BianLian ransomware, and the BlackSprut dark web drugs marketplace.

The sanctions don't mention anything about Aeza hosting disinformation campaigns, but Correctiv and Qurium investigations linked the company to a Russian disinformation group known as Doppelganger.

[ more on Risky Bulletin ]

Scattered Spider goes after aviation sector: Individuals associated with a large cluster of hackers known as Scattered Spider (Muddled Libra, UNC3944) are targeting companies in the aviation and transportation sectors.

The group, which was previously very active in 2023 and had some members arrested in 2024, saw a resurgence in activity this year.

It returned with a bang with attacks that targeted UK retail chains, moved to go after US retailers , and then targeted US insurance businesses before a new change in targets this month.

Google , Palo Alto Networks , and the FBI have put out public statements on Friday warning about the group's new shift towards aviation.

[ more on Risky Bulletin ]

Phishers abuse forgotten Direct Send feature: Phishing gangs are abusing a little-known Microsoft Exchange Online feature to send malicious emails to Microsoft 365 tenants and their employees.

The feature is named Direct Send and allows hardware devices inside a company's network to use the Exchange Online server to send emails. It is typically used by printers and scanners to send scanned documents via email or by phone or video conferencing applications to send invites and reminders to participants.

[ more on Risky Bulletin ]