US cyberattack made it harder for Iran to target oil tankers

A boat of the Iranian Revolutionary Guard passes by the Stena Impero, a British-flagged oil tanker, which was seized by Iran as tensions flared in the Straits of Hormuz.
A boat of the Iranian Revolutionary Guard passes by the Stena Impero, a British-flagged oil tanker, which was seized by Iran as tensions flared in the Straits of Hormuz.PHOTO: REUTERS

WASHINGTON (NYTIMES) - A secret cyberattack against Iran in June wiped out a critical database used by Iran's paramilitary arm to plot attacks against oil tankers and degraded Teheran's ability to covertly target shipping traffic in the Persian Gulf, at least temporarily, according to senior United States officials.

Iran is still trying to recover information destroyed in the June 20 attack and restart some of the computer systems - including military communications networks - taken offline, the officials said.

Senior officials discussed the results of the strike in part to quell doubts within the Trump administration about whether the benefits of the operation outweighed the cost - lost intelligence and lost access to a critical network used by the Revolutionary Guard, Iran's paramilitary forces.

The United States and Iran have long been involved in an undeclared cyberconflict, one carefully calibrated to remain in the grey zone between war and peace.

The June 20 strike was a critical attack in that ongoing battle, officials said, and it went forward even after President Donald Trump called off a retaliatory airstrike that day after Iran shot down a US drone.

Iran has not escalated its attacks in response, continuing its cyberoperations against the US government and US corporations at a steady rate, according to US government officials.

US cyberoperations are designed to change Iran's behaviour without initiating a broader conflict or prompting retaliation, said Mr Norman Roule, a former senior intelligence official. Because they are rarely acknowledged publicly, cyberstrikes are much like covert operations, he said.


"You need to ensure your adversary understands one message: The United States has enormous capabilities which they can never hope to match, and it would be best for all concerned if they simply stopped their offending actions," Mr Roule said.

Cyberoperations do not work exactly like other conventional warfare. A cyberattack does not necessarily deter future aggression in the same way a traditional military strike would, current and former officials say. That is in part because cyberoperations are hard to attribute and not always publicly acknowledged by either side, the senior defence official said.

Yet cyberoperations can demonstrate strength and show that the United States will respond to attacks or other hostile acts and impose costs, the official said.

Cyber Command has taken a more aggressive stance towards potential operations under the Trump administration, thanks to new congressional authorities and an executive order giving the Defence Department more leeway to plan and execute strikes.

The head of US Cyber Command, Army General Paul Nakasone, describes his strategy as "persistent engagement" against adversaries. Operatives for the United States and for various adversaries are carrying out constant low-level digital attacks, the senior defence official said. The US operations are calibrated to stay well below the threshold of war, the official added.

The strike on the Revolutionary Guard's intelligence group diminished Iran's ability to conduct covert attacks, a senior official said.

The US government obtained intelligence that officials said showed that the Revolutionary Guard was behind the limpet mine attacks that disabled oil tankers in the Gulf in attacks in May and June, although other governments did not directly blame Iran. The military's Central Command showed some of its evidence against Iran one day before the cyberstrike.

The White House judged the strike as a proportional response to the downing of the drone - and a way to penalise Teheran for destroying crewless aircraft.

The database targeted in the cyberattacks, according to the senior official, helped Teheran choose which tankers to target and where. No tankers have been targeted in significant covert attacks since the June 20 cyberoperation, although Teheran did seize a British tanker in retaliation for the detention of one of its own vessels.


Though the effects of the June 20 cyberoperation were always designed to be temporary, they have lasted longer than expected, and Iran is still trying to repair critical communications systems and has not recovered the data lost in the attack, officials said.

Cyberweapons, unlike a conventional weapon, can be used only a few times or sometimes even once. Targets can find the vulnerability used to get access to their networks, then engineer a patch to block that opening.

"Iran is a sophisticated actor. They will look at what happened," said Mr Mark Quantock, a retired major-general who served as the director of intelligence for the US Central Command, which oversees operations related to Iran.

"Russia, China, Iran and even North Korea would all be able to see how they were penetrated," he added.

Cyberstrikes also inevitably cut off access to intelligence that American operatives gained from exploiting that vulnerability, once the adversary discovers and fixes it. Losing even some access to the Iran's Revolutionary Guard, Teheran's paramilitary force that is deeply involved with proxy forces around the Middle East, is a high price to pay, according to some officials.

Military and intelligence agencies always weigh the costs of a cyberoperation and the risks of lost information before a strike, according to former officials. Intelligence officials have long been sceptical of some cyberoperations, worried that the benefits are not worth the costs.

"It can take a long time to obtain access, and that access is burned when you go into the system and delete something," said Dr Gary Brown, a professor at the National Defence University and former legal counsel for Cyber Command. "But on the same token, you cannot just use that as an excuse not to act. You can't just stockpile access and never use it."