Iran.png (1024×512)

Beware the new Green Scare.

Beware the new Green Scare.

Reports of Iran’s cyberwar against the United States have been greatly exaggerated, throngs of critics say, in order to make it look like Iran is on the clear cyberwar-path against the West. The reality appears to be much more complicated than that.

Last week, a report claiming Iran had conducted hundreds of thousands of cyberattacks against American industrial targets made a big splash in the New York Times, attracting a great deal of attention from around the world and within the security industry.

The report arrived as relations between Iran and the U.S. made global headlines—and right before its authors set up shop at RSA, the biggest commercial security conference in the world. 

Now, the report’s authors stand accused of hyping up the Iranian threat, arbitrarily redefining words in order to fit their agenda, and focusing in on attacks that never actually took place. The report’s authors—Norse, a prominent cybersecurity firm, and the American Enterprise Institute, a conservative think tank—have defended their work but criticism is mounting.

Critics say the Iran report was inaccurate, politically motivated, and a transparent marketing ploy to take advantage of headline-making international relations between the U.S. and Iran.

“What is concerning is that there is a pressure in the industry to grab headlines when it comes to cybersecurity,” Robert Lee, a U.S. Air Force cyberwar officer and the cofounder of Dragos Security, told the Daily Dot. Lee is one of three authors on a new paper outlining the holes in Norse’s widely-talked about Iran report.

“News media reporting your company, articles written by your company executives, etc. are all good for business,” Lee said. “Additionally, investors love to see companies in the news. There is definitely a pressure from many [venture capital firms] to make as many headlines as they can in order to break out against the larger, more static, companies.”

The Norse and AEI report claims that over the last year, hundreds of thousands of cyberattacks have been launched by Iranian IP addresses on American industrial control systems. That number is up 128 percent.

In fact, that number vastly overestimates the actual number of attacks, according to an upcoming report from the SANS Institute that examined Norse’s research.

The Norse report identifies network scans and network handshakes as “sophisticated attacks.” They’re not attacks at all—if they were, you’d be “attacking” Google.com every time you connected to it, Lee argued.

Scans are also certainly not sophisticated—anyone from the public can perform a scan of the entire Internet in minutes with tools like Masscan. Moreover, no actual industrial control systems were actually attacked.

Even the attribution to Iran, by far the most attention-grabbing statement of the entire Norse report, is highly questionable. They prominently pin malicious activity on Iran’s government based on IP addresses even though, buried on page 13 of the report, the authors note that the IP address is not enough to convict Iran for very good reasons. 

IP addresses are trivial to fake, leaving them as unreliable indicators.

“It is also important to note that we use the term ‘attribution’ in an academic and policy sense, rather than a law-enforcement or military sense,” the authors wrote. “We would not support using the relaxed standards of attribution we propose to target Iranian individuals or systems with military or legal response without substantial additional corroboration and evidence.”

This has been called “the most concerning statement in the entirety of the report” by Lee because “the authors openly admit that they are re-defining the word attribution since their data does not meet the standards required for attribution.”

“Saying ‘non-traditional use of industry terms’ is a more professional way of saying completely wrong,” Lee wrote. “I can’t speak to Norse’s intentions but my personal opinion is this is all marketing. It’s hard to sell ‘our unregistered IP addresses detect network scans that could be correlated with other data in a useful way.’ It’s easy to sell ‘our platform of sensors detect cyber attacks.’ It is very misleading.”

A 2014 attack originating from Iranian IP addresses on Telvent, a software company servicing the U.S. energy industry, is described by Norse as an “Iranian effort to establish cyberbeachheads in crucial U.S. infrastructure systems.”

But the attribution of the attack to actual Iranian state-backed actors—as opposed to say, the Chinese hackers who targeted the company in 2012—is based mostly on guess work, critics say.

“No government is stupid enough to engage in cyber attacks which can be easily traced back to them,” Jeffery Carr of Taia Global, another cybersecurity firm, wrote. “That kind of stupidity only resides with security researchers who have a vested interest—often a monetary interest—in placing the blame for an attack on a given nation state.”

Other cybersecurity firms have found the exact opposite of the Norse and AEI report.

“[Iran’s] activities dropped-off dramatically over the last couple of months to the point where they’ve basically been shut down,” Stuart Mcclure of Cylance told NPR.

The involvement of the AEI has been painted as a red flag as well.

“The political motivation I see is from AEI,” Lee argued. “It’s a very conservative-leaning think tank and they state right up front in their key items of the report that they are showing that sanctions on Iran shouldn’t be lifted. Nothing in the data could possibly support that—and it didn’t. There’s a very clear agenda here. So you have a company who has pressure to show people their data and make it look enticing, i.e. marketing. And you have a think tank that has a very clear political agenda. So those two combine to create an incredibly misleading report that has wide ranging negative impacts.”

“There’s a right-wing political motivation here which is to paint Iran as a threat,” Carr agreed.

Lee’s new report claims that Norse “extracted and highlighted” all the data they thought related to Iran while any other data was not represented.

“This sort of selective data isolation can greatly skew metrics and the meaning of data,” Lee, Assante, and Conway wrote.

The report put together by Norse and AEI has been roundly criticized throughout the security community.

“People build this narrative that Iran is on the war path and Russia, China, and Iran are constantly these adversaries that want to kill all our cyberz,” Lee wrote. “It’s much harder to accept the reality. The reality is countries all around the world, including the US and its allies, are increasing their ability to leverage cyber capabilities as a normal progression of states and militaries. The answer is in technical solutions for security and foreign policy recommendations to decrease confusion and establish international norms on the use of these capabilities. The answer is not in hype and marketing attempts.”

The entire SAN Institute report is scheduled to be released Wednesday.

Illustration by Jason Reed

Patrick Howell O'Neill

Patrick Howell O'Neill

Patrick Howell O'Neill is a notable cybersecurity reporter whose work has focused on the dark net, national security, and law enforcement. A former senior writer at the Daily Dot, O'Neill joined CyberScoop in October 2016. I am a cybersecurity journalist at CyberScoop. I cover the security industry, national security and law enforcement.

Layer 8
From Our VICE Partners