Since the US military's deadly drone attempt on Iranian General Kassem Soleimani, the United States has feared Iranian digital retaliation. The Department of Homeland Security, for example, warned shortly after the attacks on Iranian cyber attacks on critical infrastructure in the United States, and some security researchers were also alarmed. Right? We spoke to Sven Herpig about this, he is Head of International Cyber Security Policy at the New Responsibility Foundation.
ZEIT ONLINE: Mr. Herpig, do you think it is justified that the USA should now assume possible cyber attacks from Iran?
Sven Herpig: More than before. One can distinguish between two categories. First, there are slightly lower-level attacks. For example, they send encryption Trojans, change the visual appearance of websites or similar things. As a rule, the Iranian government is not directly behind it, but so-called patriotic hackers.
Sven Herpig is Head of International Cyber Security Policy at the Think Tank Foundation New Responsibility in Berlin. Previously, he worked in the IT Security staff of the Federal Foreign Office and as Deputy Head of Unit for Cyber Security in Society at the Federal Office for Information Security. © New Responsibility Foundation
ZEIT ONLINE: A loose association of people who want to support Iran and who have certain, but not necessarily excessive IT skills.
Herpig: You could say that. Since the US drone attack on Soleimani, there has been a significant increase in activity - attempts are being made to attack everything that is somehow connected to the United States or to countries that are friends with the United States, such as Israel and Kuwait. Often with the help of online tools that everyone can download. For example, the Kuwaiti state news agency, Kuna, was hacked last week. A few days earlier there was an attack on the website of the US Federal Depository Library Program - both of which are believed to have been caused by the patriotic hackers. Such attacks may affect reputation, but do little real damage.
ZEIT ONLINE: And the second category?
Herpig: These are attacks that are likely to be carried out by intelligence or military cyber groups from Iran. Such advanced persistent threats are more strategic when it comes to target selection: they could target critical infrastructures such as power grids and telecommunications infrastructures, but also political parties.
ZEIT ONLINE: Advanced Persistent Threats , APT for short - this is the name of groups of attackers that security researchers always see behind attacks because they act in a similar way.
Herpig: Exactly. It’s like this: It’s difficult to find out who is behind a particular attack. The attackers sometimes use different tools and follow different patterns. Nevertheless, the similarities in the attacks help to assign them to specific groups. And these groups are often associated with certain states. Iran is likely to be behind several APTs, in Russia APT29 is assigned to the domestic secret service FSB and APT28 to the military secret service GRU.
ZEIT ONLINE: If you read how the US Department of Homeland Security and other authorities in the United States warn of cyber attacks, it sounds alarming: as if a retaliatory strike from Iran could mean that Americans could soon be without electricity and water - or that hospitals could be paralyzed. Is this realistic?
Herpig: It depends on two factors. The Iranian APT should have the skills and access needed for such attacks. I think it is realistic that this can be the case up to a certain limit. This has to be planned in advance. I assume that Iranians have been trying for months, if not years, to gain access to industries and critical infrastructures to use in conflicts like these. You can't usually get access to such systems within a day or two, it takes time. The second question is which of these accesses the Iranian APT actually want to use. Which cyber attacks they actually carry out depends entirely on the extent to which Iran currently wants to escalate or de-escalate the conflict with the United States. Because such attacks are always embedded in the overall strategic concept of how you want to react to the other state. It's hard to say, but given the current situation, I think an Iranian cyberattack on critical infrastructure is unlikely - but of course that can change overnight.
On the Iranian side, people have died and objects have been destroyed. In comparison, many cyber measures that could now be implemented are not really escalating. Cyber security expert Sven Herpig
ZEIT ONLINE: So Iran is holding back from political considerations?
Herpig: Maybe. If patriotic hackers only react here and there, you could say from a security perspective that this is more of a de-escalating measure. If APT uses its access to critical infrastructures, this can have an escalating effect - if, for example, power grids are switched off. But you also have to see this in relation: On the Iranian side, people have died and objects have been destroyed. In other words, many cyber measures that could now be implemented are actually not really escalating in comparison.