The mystery behind a string of electrical explosions which shut down a highly protected Iranian nuclear enrichment site has yet to fully lift, as international security experts analyse how the act of sabotage widely attributed to Israel was committed.
Regardless of the method behind the explosion or precisely who was responsible, Israeli experts say that companies and government agencies need to realize that they could be the target of an Iranian retaliatory cyberattack, and ensure they are following best practices for security.
The strike at Natanz is seen as part of a larger ongoing shadow war between the countries that has included cyberattacks — like the destruction of Iranian centrifuges more than a decade ago by the U.S.-Israel developed malware, Stuxnet — as well as covert strikes on marine shipping, and drive-by shootings. The covert, low profile attacks have allowed Iran and Israel to deliver a blow while maintaining a veneer of deniability that relieves pressure on the other side to escalate into an all-out war.
“Cyberattack warfare capabilities enable countries to operate beneath a certain threshold and minimize unwanted escalation chances,” said Dr. Gil Baram, head of the Cyber & Space research group at the Yuval Ne’eman Workshop for Science, Technology and Security at Tel Aviv University. “So as in previous rounds of escalation between Israel and Iran has shown us, Iran will probably use its cyberattack capabilities to try and harm Israeli companies and critical infrastructures, as it tried to do last year against parts of Israel’s water network.”
A history of cyberattacks
Last year, Iran launched two attacks on Israel’s water infrastructure, but they failed to cause any damage. Iranian hackers were also credited with an attack on an Israeli insurance company, Shirbit. Israel retaliated for the cyberattack on its water network with a cyberattack strike that crippled a key Iranian port last year.
More broadly, Iran is believed to have waged a cyberespionage campaign against the Gulf states for years, mainly through proxy hacking groups. Iran showed the sophistication of its cyberattack capabilities in 2012, when it damaged tens of thousands of workstations at Saudi Aramco. More recently, Chafer, a hacking group widely believed to have ties to Iran, was found to have targeted air transport and government agencies in Kuwait and Saudi Arabia with attacks going back to 2018.
Meanwhile, the electrical shutdown at Natanz initially seemed like the work of offensive cyberops like Stuxnet. However, subsequent reports have suggested explosives were physically smuggled into the underground enrichment centre. Iranian officials have accused Israeli’s clandestine Mossad spy agency as being responsible for the attacks, and some Israeli news outlets have quoted unnamed government officials confirming involvement.
Several off-the-record confirmations of the attack to the Israeli press are liable to embarrass Teheran and put pressure on leaders to retaliate in a more severe way, said Israeli security experts.
Iran has already said it would start enriching uranium to 60% — a level used for nuclear weapons — in retaliation for the attack. There was also an unconfirmed report in Lebanon of an attack on an Israeli merchant vessel near the UAE.
The Israeli National Cyberattack Directorate, which provides guidance and sets standards for the private sector on cyberattack security, is likely recommending companies be on high alert for an Iranian response, said one expert. Such alerts are generally not made public.
“I think they’re always on high alert. The assumption is that someone is always out to get us,” said Yaakov Katz, the editor of the Jerusalem Post and the author of a book on the Israeli military’s use of cyberattack technology. “What’s going on now gives the Iranians more of a reason to want to do something, and therefore we’re probably on extra high alert.”
Companies urged to step up security
Companies and organizations that need to take the most precautions in case of retaliation make up Israel’s critical infrastructure — water, electricity and telecommunications companies, healthcare and financial companies.
“They should definitely be worried,” said Andrey Laremenko, the co-founder and chief technology officer of HUB Security, an Israeli start-up that provides cyberattack security consulting to infrastructure companies. “For each attack that is published, there are hundreds of attacks that aren’t written about.”
To lower the potential for an attack, companies need to physically isolate and better control data between critical information networks and the internet, Laremenko said. Companies should also step up the monitoring of outbound communications from their networks in order to spot malware trying to communicate with bad actors, he added.
Israeli private sector companies should adopt the view that they are part of the playing field in the game of attack and retaliation with Iran, said Einat Meyron, a cyberattack security consultant. Business leaders need to revisit assumptions about organization exposure to cyberattacks and review their game plan in the event of a breach, she said.
Meryon said the companies need to step up penetration testing, raise awareness among employees about potential attack vectors, and make sure executive leadership has a playbook in case of an emergency.
“What happened in Natanz the other day isn’t unique, except for the fact that Israel said ‘We’re behind that,'” she said. “It’s safe to assume the Iranians will react. We can’t keep closing our eyes to it.”