By Julian E. Barnes and Thomas Gibbons-Neff
June 22, 2019 The New York Times
WASHINGTON — United States Cyber Command on Thursday conducted online attacks against an Iranian intelligence group that American officials believe helped plan the attacks against oil tankers in recent weeks, according to people briefed on the operation.
The intrusion occurred the same day President Trump called off a strike on Iranian targets like radar and missile batteries. But the online operation was allowed to go forward because it was intended to be below the threshold of armed conflict — using the same shadow tactics that Iran has deployed.
The online attacks, which had been planned for several weeks, were ultimately meant to be a direct response to both the tanker attacks this month and the downing of an American drone this week, according to the people briefed on the operations.
Multiple computer systems were targeted, according to people briefed on the operations, including those believed to have been used by an Iranian intelligence group that helped plan the tanker attacks.
An additional breach, according to one person briefed on the operations, targeted other computer systems that control Iranian missile launches.
Determining the effectiveness of a cyberattack on the missile launch system is particularly difficult. Its effectiveness could be judged only if Iran tried to fire a missile and the launch failed.
The online operation was first reported Friday by Yahoo News. Few details are known, but the breach was meant to take the Iranian intelligence group offline for a time, similar to one that temporarily took down Russia’s Internet Research Agency in November during and immediately after the United States’ midterm elections.
On Saturday, Christopher C. Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, issued a warning about Iranian attacks on American industries and government agencies, saying “malicious cyberactivity” was on the rise.
“We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyberactivity, share information and take steps to keep America and our allies safe,” Mr. Krebs said.
Such intrusions by Iran do more than just steal data and money — they also seek to delete data or take down entire networks. “What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” Mr. Krebs warned.
Beyond the online operation, American military and intelligence officials also are trying to devise other operations that would not escalate tensions with Iran but would try to deter further aggressions and prod Tehran to stop, or dial back, its shadow war, according to current and former officials.
The downing of an American drone on Thursday underlined the already tense relations between the countries after Mr. Trump’s recent accusations that Iran was to blame for explosions this month that crippled two oil tankers near the vital Strait of Hormuz. Iran has denied that accusation.
Mr. Trump’s decision on Thursday to call off military strikes — even as planes were in the air and ships were in position — has given Tehran a chance to try to de-escalate the situation. But if Iran instead targets additional oil tankers or fires missiles at other aircraft, the United States will need to take actions to try to re-establish deterrence, current and former officials said.
Scrambling to extend a reprieve in the Iran crisis on Saturday after President Trump’s aborted military strike, Britain, France and other European countries reached out to the Iranians for dialogue and urged restraint on all sides.
Tensions with Europe have grown since May 2018, when Mr. Trump abandoned the 2015 nuclear agreement that had been negotiated by the Obama administration. Although Iran has honored the accord, Mr. Trump has asserted it is temporary and too weak. He has reimposed old sanctions and added new ones, including steps to choke all exports of Iranian oil, the country’s main revenue source.
American officials said they believed Iran would hold off from more strikes on tankers or American aircraft. But unless the United States is able to find a way to re-establish deterrence, Iran will most likely resume its attacks in hopes of pressuring Washington to reduce its economic sanctions.
Mr. Trump on Saturday renewed his warning to Iran, saying that he did not expect Tehran to strike another drone or initiate another attack, but that American military action remained a possibility.
“We have a tremendously powerful military force in that area,” he said. “It’s always on the table until we get this solved.”
Iran’s leaders, who have repeatedly rejected discussions with the Trump administration, have shown no softening in their position.
Punctuating that defiance, state-run news media said on Saturday that the authorities had executed an Iranian military contractor on charges of spying for the C.I.A. No date of the execution was provided for the contractor, identified as Jalal Haji Zavar, nor was the precise nature of the spying accusations.
The episode appears unrelated to the cyberstrike on Thursday. State news media reported that Mr. Zavar’s contract with the Defense Ministry had ended in 2010 and that his wife, a co-conspirator, was sentenced to 15 years in prison. While executions are not uncommon in Iran, the announcement of the death penalty for an espionage defendant, just a few days after the downing of the drone, appeared deliberate.
On Monday, Iranian officials claimed they had exposed a large online espionage network run by the C.I.A. But the claim appeared to be a reference to an old operation, when Tehran infiltrated a C.I.A. communications network more than eight years ago.
The effect of Thursday’s cyberattack is almost certain to be temporary. Computer networks taken offline can, with work, be restored to regular operations.
Such attacks are most effective when done in coordination with other actions, and at best they will set back — but not eliminate — an adversary’s military abilities. The Iranian intelligence operatives will be able to restore their computer systems, just as the Internet Research Agency restored its network after the midterm election operation.
American cyberattacks on North Korea’s missile program may have contributed to a series of launch failures. But even if those attacks were successful, Pyongyang eventually restored the ability to test-launch the country’s long-range missiles.
Reporting was contributed by David E. Sanger and Eric Schmitt in Washington, Rick Gladstone and Farnaz Fassihi in New York, and Patrick Kingsley in Berlin.