In mid-March, the US treasury department, in coordination with the justice department, sanctioned Iran’s Mabna Institute and 10 Iranian individuals for “engaging in significant malicious cyber-enabled activities.” The US government asserted those designated had “engaged in the theft of valuable intellectual property and data from hundreds of US and third-country universities and a media company for private financial gain.” This action – one of the most important of efforts aimed at ending Iran’s nefarious behavior – didn’t receive nearly enough attention. It should have. For by sanctioning these targets, the treasury department was waving a red flag, exposing a threat that not only undermines the national security of the United States, but also of its friends and allies across the world. The Middle East, in particular, would be the region that feels the cold wind of such threats from Iran most directly and most acutely; it should therefore move swiftly on Washington’s lead.
According to the treasury department, the Mabna Institute is an Iran-based company founded around 2013 to “assist Iranian universities and scientific and research organizations in obtaining access to non-Iranian scientific resources.” This entity also conducted hacking activities on behalf of the Iranian government and of private entities linked to the government. The Mabna Institute has conducted “massive, coordinated cyber intrusions into computer systems” belonging to at least 144 American universities, in addition to at least 176 universities in 21 other countries. Of greatest concern, the treasury department notes that these activities benefitted the Iranian Revolutionary Guard Corps. If, now, global governments and the private sector don’t take proper steps to enhance their own cyber security, to be vigilant against the Iranian regime’s malicious cyber practices and to hold Iranian criminal cyber actors accountable, then Tehran could do damage in ways it is hard to even begin to imagine.
Yet, this is not the first time Iran has pursued malicious cyber-related tactics to achieve its foreign-policy and national-security goals. Last September, the US sanctioned 11 entities and individuals found to have engaged in similar behavior. One of those entities – Sadid Caran Saba Engineering Company – directly supported the IRGC’s ballistic-missile program. Two other sanctioned entities based in Ukraine supported Iran’s Caspian Air and Iraq’s Al-Naser Airlines, both of which had been previously sanctioned for directly or indirectly supporting the transport of fighters and weapons into Syria, among other activities. Also included in this sanctions action were two Iran-based networks that planned and executed distributed denial of service (DDoS) attacks against nine known large American financial institutions, including top banks and stock exchanges.
To say that Iran’s criminal cyber-attacks pose significant national security threats to the world might tempt accusations of hyperbole, but in fact it is an understatement. Iran continues to hone and refine its cyber-hacking skills – a cheap and relatively easy way to exponentially increase its global power and regional influence. This type of activity allows the regime to both steal important information and to pursue destabilizing activities. For example, pilfered information could allow Iran to significantly and expeditiously enhance its weapons of mass destruction or other arms-related programs, and to replicate technologies it is prudentially banned from acquiring through the open market.
By hacking into other information systems, Iran also could steal funds, infiltrate infrastructure and, in short, cause wide-scale mischief. Such behavior isn’t just havoc-creating and destructive, it also provides Iran with a potential bargaining chip. It’s like a massive hostage-taking scheme. Imagine, for just a moment, how Tehran might engineer a power blackout in some country or paralyze a bank in return for rigging an election or protecting a dictator. The stuff of TV spy serials is no longer so farfetched when measured against reality.
And nowhere will that intimidation be more destructively felt than in the Middle East, where Iran has been attempting to assert hegemonic power directly and through proxies. It is thus well past time to pay closer attention to its corrosive efforts.
To begin with, Middle East governments should sanction the same targets as the US and ensure that these parties remain isolated from the financial system. The region also should be vigilant and ensure that their infrastructure and banking systems haven’t already been compromised. If they have, governments must hold the perpetrators fully accountable to local law and order. The region also needs to enhance awareness in society, and both the public and private sectors should be required to implement advanced cyber-security measures. Such admonishments might seem proforma, in the manner that public-service announcements often state the blindingly obvious. But the truth is, cyber-security experts are continually surprised at how woefully unprotected companies, government entities and ordinary people are against the full range of possible, and prospective, cyber-crime attacks. This issue is a matter of national security.
The US action has exposed Iran’s engagement in a silent, but nevertheless deadly, kind of warfare. The Middle East would be well advised to be on even better guard and higher alert, given that Iran’s proximity – and Iranian presence in many countries – gives it even better access.
Hagar Hajjar Chemali is founder and CEO of Greenwich Media Strategies, which offers communications strategy, media engagement and public-relations consulting in areas including national security and counter-illicit finance. Chemali has held senior public-affairs and policy-making positions at the White House, state department and treasury department. Among her roles in the US government over 12 years, she was a Middle East policy advisor at the treasury department’s office of terrorist financing and financial crimes.