Intelligence Document Leaked: Reveals Cyber Attack Plans, Calls Iran, UK To US
JAKARTA - A classified document, allegedly from Iran, reveals classified research into how cyber attacks can be used to sink cargo ships to blow up the fuel pump at a gas station.
The internal files, obtained by Sky News, also include information on satellite communications devices used by the global shipping industry, to computer-based systems that control things like lighting, heating and ventilation in smart buildings around the world. .
A security source with knowledge and ability to assess the 57-page collection of five five reports said the document was compiled by a covert offensive cyber unit called Shahid Kaveh, which is part of Iran's elite cyber commando of the Islamic Revolutionary Guard Corps (IRGC).
The source believes the work is evidence of Iran's efforts to gather intelligence about civilian infrastructure that could be used to identify targets for future cyber attacks.
"They created a target bank to use whenever they wanted," said the source, who did not want to be named to speak about the document.
The paper allegedly expressed a special interest in researching companies and activities in western countries, including Britain, France and the United States. Meanwhile, the Iranian embassy in London did not respond to a request for comment on the allegations.
In his writing Sky revealed, at the top of most files is a quote, which appears to be from Iran's Supreme Leader, Ali Khamenei. It reads, "The Islamic Republic of Iran must be one of the most powerful in the world in the cyber field." Security sources described the quote as a "commander's statement of intent".
The report was compiled by a cell called Intelligence Team 13. Sources familiar with the files referred to them as Intelligence Group 13 and said it was a sub-group within Shahid Kaveh's IRGC unit, under an individual named Hamid Reza Lashgarian.
"They should be somewhat secretive. They are working on offensive cyber operations globally," said the source.
Only two reports have a completion date on the front page. One document looks at what are known as building management systems – the computer technology that controls things like lighting, heating and ventilation in smart buildings, from 19 November 2020. Another one looks at a German company called WAGO which manufactures electrical components, dated April 19, 2020.
Two of the other reports, one to a gas station fuel pump and another to maritime communications, included screenshots of internet searches dated last year.
Some of the potential hacks, which cybergroup IRGC may have planned based on the document, would target cargo ship's ballast water systems. This can cause irreparable damage.
The ballast water system helps balance the vessel under certain circumstances by pumping water into special tanks on board, damaging the system can compromise this important process.
Another Iranian plot appears to target hacking automatic tank gauges from certain gas stations that could stop the gas flow, or in the worst case scenario, even cause an explosion, the report said.
In addition, the document describes an attempt to hack maritime communications devices, namely the Seagull 5000i and the Sealink CTR. The chart at the end of the file shows the results of what is known as "Google dork" – performing internet searches with certain key phrases enclosed in quotation marks to improve search accuracy.
Not only that, there are also building management system documents, computer-based systems that control lighting, ventilation, heating, security alarms, and other functions in smart buildings. It is nine pages long, dated to the Iranian calendar equivalent of November 19, 2020.
Registered document of the company providing this service. They include Honeywell in the United States; French electrical equipment group Schneider Electric; German giant Siemens; and KMC Controls, another US manufacturer.
The longest report – 22 pages – is on electrical equipment made by the German company WAGO. The date is the Iranian calendar equivalent of April 19, 2020. The file checks for vulnerabilities in so-called programmable logic controllers or PLCs, computer control systems.
In this regard, British Defense Secretary Ben Wallace said the Iranian documents, if authentic, show how vulnerable Britain and its allies are to cyber attacks.
"Unless we do something about it, our critical national infrastructure, our way of life could easily be threatened," Wallace told Sky News.
The source who shared the Iranian documents with Sky News said he was "very confident" that the documents were genuine. Sky News shares the file with additional sources who will have the ability to tell if the file appears to be genuine. These sources indicate that they think the files look credible and attractive.
Sky News also shared this information with US cybersecurity firm FireEye, which investigates Iranian cyber threats as well as threats from other hostile nations. Mandiant Threat Intelligence, part of FireEye, said, "The documents appear to emphasize simple opportunistic attacks.
"They discussed the possible physical impact of cyber operations targeting critical civilian infrastructure and the feasibility of carrying out such an attack, while examining the percentage of internet-accessible devices that could be potential targets."
It said the five reports, comprising the bundle, appeared to be responses to requests for information or research.
"Everything outlined in the document fits perfectly into what we've seen the Iranian capabilities and the way they plan their attack, the way they structure and divide the work and go out and really start the process of shaping operations," said Sarah Jones, senior principle analyst at Mandiant.
He added that this was the first step a country would take if they wanted to develop certain cyber-attack capabilities.
"You see all of that being set up but you don't see another phase of it. You see them saying - what would happen if we did this and how could someone cause some kind of damage or damage to the ability to really many different technologies?" he concluded.