Iran attacks, cyber edition

Jay Solomon reports in today’s Wall Street Journal: “U.S. Detects Flurry of Iranian Hacking” (accessible via Google here). The Israel Project’s Omri Ceren takes note and comments in an email message (with the usual footnotes!) that I thought readers would find of interest:

The WSJ revealed last night that there has been a “surge” in Iranian cyberattacks against U.S. officials, journalists, and activists who work on Iran. At least some of the attacks have been successful.

The attacks were launched using the laptop of American-Iranian businessman Siamak Namazi, who was arrested and imprisoned in mid-October. It appears the Revolutionary Guard Corps (IRGC) seized Namazi’s computer, made him log into Outlook or Gmail or whatever program he uses, and then sent malware-infected emails to people in his contact list, who then opened up those emails. The Journal had previously published hints of the story: last week the outlet reported “Iranian intelligence agents ransacked [Namazi’s] family home in Tehran and confiscated his computer, and have since been launching cyberattacks on some of his email contacts” [a]. Journalist Robin Wright subsequently revealed she and State Department officials were among those targeted from the confiscated computer [b]. This new Journal story reveals that the cyber-offensive is widespread and that “Obama administration personnel… have had their computer systems hacked.”

The full article…runs almost 1,500 words. Background on some of the angles:

U.S. politics (sanctions) — “Lawmakers have called for the White House to ramp up sanctions on the IRGC… ‘Iran’s threatening behavior will worsen if the administration does not work with Congress to enact stronger measures to push back, including… targeted pressure against Iran’s Revolutionary Guard,’ Sen. Mark Kirk… said Friday” — Lawmakers are talking about a policy menu that has three tiers of potential targets: (1) Just the IRGC personnel involved in Namazi’s arrest, e.g. by having the Treasury Dept. tag them as Specially Designated Nationals (SDNs) (2) the entire IRGC, e.g. by having the State Dept. designate the IRGC as a Foreign Terrorist Organization (FTO) [c] (3) Iran’s non-nuclear infrastructure (ballistic missile development, human rights violations, terror promotion, regional expansionism, etc), e.g. by supporting Congress in renewing the Iran Sanctions Act (ISA) of 1996.

Middle East geopolitics (U.S.-Iran entente) — “President Barack Obama and Secretary of State John Kerry have voiced hopes that the Iran nuclear agreement reached in July could spur greater cooperation between Washington and Tehran on regional issues… Iran for the first time took part in international talks aimed at ending the multisided war in Syria” — Foreign Policy revealed last night that Obama personally intervened with the Saudis to allow Iran to take part in those talks [d]. The Associated Press had already assessed over the summer that “coziness” between the Iranians and Obama administration officials was “the new normal” [e]. The Iranian cyber-offensive – plus the arrest of Namazi, plus Iran’s arrest last month of U.S. resident Nizar Zakka, plus the new joint Iranian-Russian military offensive in Syria, plus Iran’s recent launch of a ballistic missile in violation of UNSC resolution 1929, plus this week’s widespread Death to America celebrations throughout Iran [f] – risks making the administration look naive.

U.S. National security (cyber) — “The IRGC has used cyberwarfare against other Iranian-Americans and people tied to them detained in recent years… Computer experts have noted that by hacking a target’s contacts… the number of people associated with that target can grow exponentially” — The Iranians have been spear phishing US government targets for years. In May 2014 a computer security firm revealed the existence of a three year Iranian cyber-campaign – the “most elaborate social-engineering campaign” the researchers had ever seen – targeting U.S. military officials, Congressional staffers, diplomats, lobbyists, journalists, and so on [g]. Last spring the American Enterprise Institute published a report assessing that the then-impending nuclear deal would “dramatically increase the resources Iran can put toward expanding its cyberattack infrastructure” [h].

The WSJ story will get wrapped into the broader debate about the wisdom of the Joint Comprehensive Plan of Action (JCPOA). When the article went live last night Reuters took it to the White House for a response, and got a “no comment” on background [i]. As today rolls along, administration spokespeople will shift more explicitly to the usual line about Iranian aggression: they’ll say that of course they have concerns about Iranian behavior, but the nuclear deal was never premised on Iranian moderation, and they’ll add that they can still respond to Iran with options in theory. They’ll refuse to identify any specific pushback they intend to implement in practice.

That move has been a staple of administration messaging for months, but may not satisfy journalists or lawmakers in the aftermath of the Namazi arrest and cyberattacks. The policy menu outlined by the Kirk letter provides a range of options – SDNs, FTO, ISA – and should allow the White House to work with Congress on a calibrated pushback. At the bottom level it suggests sanctions against the specific IRGC officials in the specific intelligence unit who seized Namazi and used his laptop to hack American officials. Imposing sanctions at that individual level is quite literally the least the White House can do in response.