Iran-based hackers, almost certainly working on behalf of Iran's government, have infiltrated and taken control of a number of commercial computer systems around the world, according to a new report by the cybersecurity firm Cylance. The findings in the report, which the New York Times says it was able to independently verify, include one very scary category of targets: airport security infrastructure, including the ability to access and control airport security gates.
State-backed hackers in Iran (as well as China and North Korea, among others) have been targeting foreign companies for years, typically committing acts of industrial espionage, stealing technological or corporate secrets. In other words, it's often done for money. But the decision to target airport security systems raises the prospect that Iran, which has backed international acts of terrorism in the past, might use this access to do so again.
The report identifies three countries where airports were targeted: Saudi Arabia, Pakistan, and South Korea. Saudi Arabia is perhaps Iran's greatest regional rival, and the two countries have been embroiled in proxy conflicts for years. But Iran has a generally friendly relationship with Pakistan and no obvious conflicts with South Korea.
The Iran-based hackers so embedded themselves within airport systems that they were able to remotely control security systems, including gate controls, according to the report, potentially giving them the ability to allow someone to clandestinely enter secure areas such as tarmacs. It's not clear what Iran would want to do with this capability, or if it planned to use it at all, but the power to access civilian airports freely is clearly one with the potential to cause significant harm.
Here is an excerpt from the report:
Perhaps the most bone-chilling evidence we collected in this campaign was the targeting and compromise of transportation networks and systems such as airlines and airports in South Korea, Saudi Arabia and Pakistan. The level of access seemed ubiquitous: Active Directory domains were fully compromised, along with entire Cisco Edge switches, routers, and internal networking infrastructure. Fully compromised VPN credentials meant their entire remote access infrastructure and supply chain was under the control of the [Iranian] team, allowing permanent persistence under compromised credentials. They achieved complete access to airport gates and their security control systems, potentially allowing them to spoof gate credentials.
The report also states that the hackers infiltrated airlines — but not airports themselves — in Qatar, the United Arab Emirates, and the United States. It also describes hacks against energy companies, a university, and an unnamed US military contractor.
US defense officials have long warned that hostile nations or actors could use cyberattacks on physical infrastructure to cause real-world damage. While these warnings have often been hyperbolic and overstated — reporters have learned to roll their eyes at officials' warnings of a "cyber 9/11" — this report is a reminder that the threat is not entirely made-up.