Between Two Nerds: Unleashing Iran's hackers

Hello, everyone. This is Tom Iran. I'm here for another between two nerds with the

gruck. Good day, gruck, how are you? Good day, Tom. I'm finding yourself.

I'm well.

This week's edition is brought to you by Sublime Security, a next-generation email platform.

Find them at sublime.security. So this week, there's a story. I'm reading it from Kim

Zeta's site. What is it? Zeta, zero day. And she talks about Striker, which is a medical

device manufacturer I'd never heard of.

Yeah, that household name.

Yeah. So according to Kim, they're a leading maker of medical devices, but they've been hit

by ransomware from a known Iranian activist group named Handella. Handella, H-A-N

D-A-A-L-A. And I could say I'm pretty serious. Like lots of people not working.

That's awful. I would hate to be struck with not working.

For a short time at least, that's fine. And obviously, I've been thinking about around

the war there and what that means for its hackers in the longer term. So my first thought

was that in the short term, and as of last week, as far as I've got, was that I'm not

particularly worried about Iranian hackers because they'll just have other things on their

mind.

And they don't have internet right now. So it's sort of like...

Yeah. So I mean, in the past, we've seen them use Starlink to do hacking. I think if

they were like the problem with that is that that could also be blocked. Like it would

be not hard to... Right.

...in the grand scheme of things to get Starlink to turn off a few terminals.

Right.

And realistically, if you need five guys with a portable hard drive and $10,000 to buy

new equipment, you can give them that and put them across the border anywhere you like

and say, go shack up in a hotel, buy the premium internet package, get some laptops and

have at it.

Yeah.

Yeah.

In the very short term though, like there've been a couple of stories that the IRGCs, the

Iranian Revolutionary Guard cause cyber headquarters were bombed or cyber warfare headquarters

with the term I heard Warsaw in the reporting.

There's another unconfirmed story that a hacking office, an office that some threat actor

group was bombed and then there's a story that a particular individual hacker who was

on the FBI's most wanted list was actually killed.

So it seems like Iranian state hackers were in the country, their facilities are at least

to some degree being targeted.

Right.

And so yeah, they've got other concerns, rather than they're probably more worried about

like getting food, water, electricity and like staying alive in the middle of a bombing

campaign as opposed to what the return to office policy is at that particular moment.

Yeah.

And so that was kind of as far as I've got short term.

This article, well, first of all, what it made me think was what's the point?

Ooh.

Okay.

So yeah.

I knew you'd have thoughts.

What is the point of cyber during war?

Yeah.

Yeah.

So look, I think like it's very interesting, the situation that Iran is right now in terms

of war time cyber, because on the one hand, I've said a lot that like espionage is where

all the value is during war, right?

But I think that that's only true if you have a military chance in hell using the technical

terms, right?

Like if you are Iran versus the US, I think even having like complete access to every

message that the US military is sending itself would not help you in any way militarily.

I mean, it's going to be so minor a little, yeah, and you don't have the conventional

capability to take advantage of it, right?

You couldn't exploit that access, right?

Like, even if you had it, you couldn't really do anything with it.

So you'd still get crushed.

So I've argued that effects, particularly if you're trying to coordinate with military

action are extremely hard to do in a way that is relevant.

But if you have no military to speak of in a way, if your military is unable to coordinate

regardless, you could just do effects for the fact say, you know, just for the hell of

it really.

And the way I see it is, if you have an extremely unpopular war, if you make life annoying

for the civilians, I like that there's no will to fight.

Yeah.

So you're talking about from the US perspective here and from the perspective of American

citizens.

Yeah.

Well, I mean, I would think that like granted right now, they're blowing up like Kuwait

and Qatar and, you know, Dubai and all this stuff, but they can do cyber as well and go

after infrastructure, right?

As just another level of like making life difficult and annoying for them.

And then I would say that effects make sense because there's no alternative, right?

Right.

And espionage or effects because espionage is not a valuable resource.

So yeah, just do effects.

Why not?

What I was wondering about is whether it actually hardens the civilian population against you.

So first of all, the US is massive country.

There are some striker factories in the US, I think.

Apparently, it's got like 60,000 personnel or employees around the world.

But I mean, does that even scratch the surface?

It's not a mainstream media thing and, you know, they don't work for a week or two, you

know, at worst maybe a bit longer.

It's not the Jaguar Land Rover level of attack where, you know, you're impacting the growth

of the GDP by a measurable percent for one quarter.

Like it's, it's not at that level.

That said, there's no reason they couldn't do a Jaguar Land Rover style attack.

Right?

That's just a targeting issue, you know, at, at the point where you are Iran trying to

cause problems, you can get into a car manufacturer like that's not a, that's not an impossible

ask.

It's not like a huge amount of Oday and development and all this stuff.

It's just the right person with the right fishing email and you're in.

So I think there's an opportunity for them to do damage.

Then the question, you know, as you've said is like, is this a strategic bombing campaign

where rather than making the citizens ask for the war to end, it makes them harden against

an outside enemy?

And I wonder if that's true for cyber because most of the problems that show up are not like,

no one dies.

Nothing blows up.

Yeah.

Things are annoying and delayed and I don't live in annoyance and like frustration works

in quite the same way as like having your neighbors killed.

Yes.

You know, that's kind of my feeling is that it doesn't, it doesn't really help your cause.

I don't think the American people will even more vociferously hate the war because a

medical device manufacturer or even hundreds of small to medium businesses are affected

across the country.

It's not the, I don't think it will move the needle.

So it's better, but I don't think it will move the needle the other way either or make

them.

It's a no up in a way.

Like it's right.

Well, I think maybe the situation is different in Israel.

You know, a smaller country, I'm not sure.

But I think for the US, it's like such a big country, the capacity to cause a whole lot

of pain.

Yeah.

You can jab them with a needle as many times as you like.

They're still an elephant.

Yeah.

Like it's, it's not really going to, they won't notice.

It reminds me a little bit of a, so very early in the RAF bombing campaign against Germany,

they were doing night time bombing because they kept losing planes during the day.

But they didn't have navigators.

So it was just sort of like fly by vibe to find the target.

And then they couldn't send that many planes at a time and they didn't carry that big

of bomb load.

And so the problem was that the pilots didn't know where they were bombing.

Like they didn't think like, oh, we missed the target.

They'd say, we were over, you know, Cologne and we unloaded, you know, the four tons

of whatever that we carried.

Even if it turned out to have been in France by mistake, you know.

And so what happened was the strategic assessments basically said, like we have Germany on the

ropes.

Like we've, we've destroyed there, like their Rhineland industry.

We've wiped out, you know, like this much of their capacity.

There's the Germans didn't know that the strategic bombing campaign was going on.

Like they were essentially unaware.

It's like every now and then a tiny village gets blown up for some reason and like the

RAF finally did an analysis that came out called the butt report because that was the guy's

last name and it was scathing and it changed all the way that they were.

But I was just thinking if they're like, you could see the Iranians responding, you

know, like we've wiped out over 20% of their small to medium business capacity for selling

shoes or delivering pizza, you know, we've got them on the ropes and the US is just completely

unaware that this is happening.

Yeah.

So that seems to me that that campaign, this was kind of my gut feeling, it would be pointless

in terms of actually achieving anything in terms of the contests between the two.

But that doesn't mean that it's like a pointless campaign.

Right.

That's right.

Like people have different motivations.

So my sort of conception was that this may be a thing that you feel has value regardless

of whether it makes any difference or not.

Cool.

So, another tangent panic doing, right?

So like the Syrups leaflets that they drop over troops, like they're the sex ones,

were basically they'd be like a pretty girl and it's like, you know, while you're here

and the trenches, the officers are back with your girlfriend or, you know, the foreigners

are sleeping with your wife while you're here dying.

And the thing is the Syrups departments knew that these were not like, these were just

not very effective.

Like none of them was particularly effective, but they knew that these weren't any more

effective than the other ones.

The thing is one of the reasons that they did these is because it meant that they got

to have their illustrators draw pretty women for a change rather than corpses and skulls

and dead people all the time.

So it was the morale was actually internal as opposed to, right?

Yeah.

And I could see it forming into that exact same category, right?

Like it's, yeah.

Sure.

It's not there.

We've had a wings.

Exactly.

It gives you something to celebrate.

And I don't see that it costs them anything because during peacetime, if you do a destructive

attack, there's the fear of escalation, you know, like where does this end?

Do we accidentally trigger a real war and they bomb us?

But you can't escalate from where they are right now, right?

Like it's, they've already realized the worst outcome.

So yeah.

So like in the longer term, it seems like there's the possibility that they'll in effect

be unleashed because I guess it's at least possible that the US or Israel could bomb them

again in the future.

It seems like politically that is unlikely, assuming that they stop bombing them at some

point.

It seems unlikely that the reason they would stop is because it's politically unpalatable.

And so it's a political reason not to do it again, not like it seems like Iranian air

defenses don't exist anymore.

So they could do it at any time, but it just seems like it would be a threshold that they

would be reluctant to do.

And so.

Right.

Yeah.

Well, I mean, even if they do bomb again, it's like what are they going to do blow up the,

like what's left, really?

Yeah.

Right.

I think they're shit twice.

Exactly.

Like if you've blown up the surface air missile battery, you're not going to get anything

by blowing it up one more time.

So I suppose there are office buildings, for example.

So if you knew that there was sure, but a group in a particular office building, right?

That that's potentially, I think, I don't know.

I think that that would play very badly because if you're around, the first thing you do

is you start sectioning off three classrooms in every school and make them hacker

offices.

Right.

Yeah.

Yeah.

Every school in particular.

Right.

So like during the Syrian war, that was one of the things that the different rebel factions

were doing was every time they would get foreign journalists, they would put them in

the room just above the headquarters where all of the like radio equipment and everything

was.

So they're basically saying, yes, you can bomb us, but you're going to kill foreign

journalists and it's going to look bad with these kids at foreign journalists or just

no, no, no.

It was like if you showed up and you're like, I want to interview you for your, you know,

what's happening and they'd be like, great.

Why don't you stay the night?

We've got like a special room for you and everything.

It's all set up.

Yeah.

It would be foolish not to do it if you're around.

Right.

Like you're not going to be like, oh, you know, what if they get bombed?

We better make sure that they're in an isolated area by themselves with no collateral

damage.

Right.

Like that's the opposite, you know, you want to make sure that they go everywhere surrounded

by like small girls and, you know, cameras, basically.

Yeah.

I think one of the other things that will play to Iran with this is that they don't, like

they don't have a cybercom as such.

Right.

Like I think with the US, if you were to take out cybercom, like the physical infrastructure

and the central location of all of their people, they would have to reconstitute somewhere

else and that would be difficult because they have the sort of hierarchical approach.

Like it's not impossible and that obviously be able to do it, but it would be a, like

it would be an impact that they would have to deal with.

Whereas I think that because Iran has made up of these small companies that do contract

work, any individual one that you take out is not going to impact any of the other ones.

Like it's almost a terrorist cell network in a way.

Right.

Yeah.

I was talking that in a way, the US or the Western focus on operating carefully and covertly

means they've got things like basically specialist equipment, which is air gap networks and stuff

like that.

There are a lot harder to rebuild because it's not just walking down to the right.

Okay.

Best Buy and Costco and getting a few laptops and just looking up to the internet.

And so I think that being less operationally sophisticated in a way makes it easier because

it's just more resilient download a whole lot of stuff from the internet than off you

go.

Yeah.

And realistically, how much tooling do they actually need that they can't rebuild, that

they can't vibe code into existence again, right?

Because if you're doing destruction attacks, you don't need stealth in the same way.

Like stealth is important if you want to get in, do your espionage and then get out without

leaving a trace.

Or, you know, if you do get discovered that they can't be traced back to you or not, like

all of these things are very important in an espionage scenario where you're expecting sort

of long term investment and return investment and stuff.

If you're just doing destruction attacks, you actually do not want to invest in bespoke

malware because it's going to get burned as soon as it's used instead, what you want

is cheap commodity malware, like as much as you can get so that it's not detected the second

time you use it, something else again, the third time.

And for that, being able to just vibe code or use things of GitHub is actually the better

option.

Like it fits their operational needs much better than any specialist tooling that they might

have.

Like essentially having it just like it dispersed, distributed, like decentralized group of

hackers who can operate with minimal bespoke tooling is a great strength when all you want

to do is maybe wreak havoc, be a pain in the ass.

Yeah.

Yeah.

So I was, before we started, I was watching some video, some guy called Preston, what's

his last name?

Preston Stewart.

Yes, that's right.

And he was talking about how the war aims of the US, they had had four.

And if I recall correctly, it was, you know, reduced military capability, removed the ability

for nuclear, eliminate nuclear capability.

What was the third and the fourth?

The fourth one.

Oh, there was the wipe out the Navy, get rid of their Navy.

And then end their ability to support proxy groups or something else.

Yeah.

And they're support the proxy groups.

Yeah.

And his video was, well, hang on, all of a sudden, they're now talking about three goals.

And that fourth goal of eliminating proxies had dropped off, you know, just they don't

mention it.

And it seemed to me that that, it's obvious why it's not a goal because it's like

anymore because they've realized, well, how are we going to actually achieve that?

It doesn't seem like we're going to bomb them into submission where they voluntarily say,

yes, we'll stop doing that.

But it also struck me that's very similar to operating a Hacker group.

Yeah.

So like the fundamental problem with ending the support for proxy networks is those, those

relationships are relationships, right?

Like they took no each other.

You can't bomb a relationship.

It's not a tangible thing that can be destroyed in the same way that like some sort of missile

capacity or a Navy, right?

Like you can sink a ship twice, but you can't sink a friendship with a bomb.

Right.

Yeah.

Well, I guess what you've got to do is remove the will to want that relationship.

And I suppose that by removing that as a goal, they're in effect, conceding that this

is not going to be achieved.

We don't think.

Now, presumably they...

It's very much, you know, the sugar ration has been increased to 20 grams, I think.

The war goals have been increased to three rather than four.

So that...

And I think proxies, terror proxies are a worse problem than hackers.

And so...

What...

One of the things I'd point out is that they've been surprisingly quiet in all of these attacks

in Iran.

Like they haven't really shown up, right?

Like there's during the 12-day war, the Iraq proxy groups basically did a new phone

from who it is.

Right.

Right.

They just...

They did not do anything.

And Hezbollah is like, you know, I'm a bit busy right now, can you call me back later?

Although to be fair, Hezbollah did launch a drone against the RAF base in Cyprus.

Right.

I thought there was a few things that the Hoothies had done.

I guess...

Yeah.

It may be the same dynamic with the hackers in that their main support is like otherwise

occupied.

Their main funders, their main directors, whatever.

And so it's in the short term, maybe nothing, but in the longer term, perhaps it's the same

dynamic.

I guess that's not a cyber thing, so we won't talk too much about that, but I don't...

I could believe the same dynamic applies.

So far, it seems to me that there's reasons to believe that they would be unleashed in

a way because they've got, in effect, nothing to lose.

It probably won't achieve much from a balance of power or in a strategic sense, but it could

well appeal to like just national pride, I suppose, or an internal organization morale

that could be a thing.

So there's potential upside and basically no downside.

So why not?

Right.

That's my feeling at this point.

So I guess that is bad news.

Well, I mean, only if you're in the West.

But I mean, like in terms of a political trade off, I would probably go, okay, Iran,

let me swap the possibility of nuclear war with Iran for worse hackers, right?

That is actually like a good trade.

That's a fair trade.

Yeah.

Yeah.

So, yeah, well done, I guess.

But I'm not sure that Iran is going to go like, okay, we don't need the nukes anymore.

We've found one of the USBs that has Shemoon on it, so we're going to go.

But well, I suppose to me, it's not that they would think of it as replacement, right?

It's that this is just what we can do in the short time because it's probably the easiest

thing we can reconstitute that is resilient to further bombing, like, you know, you

have people working remotely.

Yeah, and you can station them outside the country, right?

Like you don't need them to be in the Pacific.

I mean, I don't even know if that's bad or not.

But you could do all sorts of things, right?

Well, I mean, you could put them in other places and let them operate from there and then

have them move every couple of weeks to somewhere else.

There's just a lot of opportunities.

It's much easier to have a small hacking team continue to operate than it is to build

it a nuclear enrichment facility.

So that's pretty straightforward.

But so like one of the issues I see is they have no incentive not to do this regardless

of when the US stops bombing them.

Like there's no reason for them to stop going all out on cyber and just becoming a nuisance.

In fact, there's every reason for them to do it.

And if you look at, for example, the trajectory of North Korea where they went from being

sort of very low skilled, low-level capabilities that over time they invested in and they put

resources into and they built up now like an absolutely world-class team or teams or

whatever.

Like they have good people doing amazing operations these days.

There's no reason that Iran can't do the same thing over the next few years.

Like they were already on that trajectory as we discussed in a previous BTN episode with

Hamid Kashfi.

And so to a degree, they can be annoying but they can be progressively more annoying as

time goes on.

Right.

So you're saying that perhaps this will actually be an accelerant and they'll encourage

them because they've got no alternatives in the short term at least.

It'll take time to build up or rebuild their other.

Yeah.

And they'll be able to get visible victories.

Right.

Like they'll be able to do a thing that is visible that they can say, look, we did that.

Like we knocked out Jaguar rope, Land Rover, right.

We interfered with like BMW's production line.

We did some other thing like they can get these propaganda wins fairly easily and those

will probably be valuable internally outside of just the hacker communities.

And it would, of course, be difficult to stop them and it would look bad for the West

and this happens as well.

Yeah.

So I guess in that scenario, it's the shining light after they've been bombed.

Like this is the thing that we've got that will, I don't know, is it save face or demonstrate

Iranian strength and so that may in fact give it more resources than perhaps it would

have been if it had been left alone.

So in comparison with North Korea, it seems that in a way, they were both cornered kind

of into investing in cyber capabilities to some degree.

So North Korea, because it had very little else, went all in and in fact, this situation,

it seems like we've taken away a lot of the things that Iran could have used instead

to project power.

Right.

So I think the key difference there is that because Iran already has oil, we can't distract

them with cryptopros.

Thanks a lot, Tom.

Thanks, Greg.