A

Hello, everyone, this is Tommy Wren. I'm here with Grok for another Between Two Nerds. G', day, Grok, how are you?

B

G', day, Tom. Fine, and yourself?

A

I'm well. This edition of between two Nerds is brought to you by Airlock Digital. They're making allow listing. Cool again. So this week we thought we'd talk about what's going on in the war in Iran from a cyber perspective. There's, I guess you describe it as initially a slow start. There didn't seem to be a lot of, like in the first couple of days, a lot of very directly related news. Then there was the attack on Stryker, the medical device manufacturer. We spoke about it a little while ago. That seems like it was a pretty successful attack on a significant company, but there hasn't been another one since. So most recently there was a report that Iran had been using basically cyber espionage for battle damage assessment. So we've talked about this in the context of Russia and Ukraine and the war there.

B

Just to push back a little bit because you said there was nothing in the first few days and I would say that actually the amount of information coming out from the US on the sort of cyber attacks that they were doing.

A

Right.

B

Was quite big. Right. Like this is. It was a very US level thing of like, the generals immediately went and called up all the reporters and said, I can't talk about it, but here's what happened.

A

That's right.

B

And they went really heavily on, sort of like they leaned quite heavily on like how much they were doing, like how important cyber was and what a big role it played and how.

A

Yeah, you're right. I had totally forgotten. So one story was, if I remember rightly, that I think it was Israel had compromised, it sounded like from the Financial Times report, all the traffic cameras in Tehran. And they had used that as part of their planning. And then I think the US said that they had, what was it, blinded and removed the eyes and ease.

B

So, yeah, so the Americans. Here's General Dan Kane, he's the Chairman of the Joint Chief of Staff, who has said that they used cyber attacks before the airstrikes to disrupting and degrading and blinding Iran's ability to see, communicate and respond. So that's sort of very much the American doctrine of how you use cyber. It's a tool that enables the military to interfere with the adversary's ability to. To use information technology.

A

Yeah. Part of the FT story was also that they somehow disabled a base station, a mobile phone base station near the Supreme Leader's residence or compound to. To prevent warning getting there before the place was bombed. Yeah, I guess in, in my defence, I had meant Iranian responses, but yeah, that's a good background.

B

Yeah. Now, having said what the Americans are doing and sort of the way that they understand the use of cyber during military operations, it's interesting to see that Iran seems to be following the Russian model and they're following it right off the bat. Right. So, as you mentioned, we've talked about this a lot about how the Russians have figured out that the best way to replace limited spy satellite capability and just general lack of information gathering is to use cyber. And they use it by going after the sort of the local municipalities. So they try and get the governor's office or the mayor or whomever, because all of the emergency services that actually respond to the drone strikes or the missile strikes, that information gets aggregated and reported to the administrators who then aggregate it and report it up all the way up the chain. And at these smaller municipalities, there's much less security and awareness than at the state level. Plus it's a lot more accurate. And so what's very interesting to me is that Iran started doing that immediately. They opened not just with the strikes, but with this type of bda. And we were talking about this earlier, like, it's absolutely obvious in that you would figure this out, but it's not obvious. You would start with it.

A

Yeah, yeah. And I think it's the sort of thing, I was thinking of the SIGINT cycle, which is you collect. Well, it's a cycle you can start anywhere, but you collect, you analyze, you figure out if you've got the right information or if you need to redirect and then you collect again and so on. It's kind of like the OODA loop, which is. What is it?

B

Orient, observe, orient, decide, act.

A

Yep. So similar to that, just a bit more intelligence specific. And so I, I don't think. And I think you wouldn't start at provincial or local level emergency management, like,

B

because you wouldn't start at the right place unless you're incredibly lucky. Yeah, yeah, yeah.

A

And I think unless you're really well informed about the government structures of another country.

B

Yeah. You wouldn't even necessarily.

A

What is that organization?

B

Right.

A

Like, what are their names, what are their web assets or Internet assets? And what are their vulnerabilities?

B

How do I fish the particular people there? Who are the people there? Right. What are they? Like, what systems do they use? There's a lot of reconnaissance that has to be done first and the Fact that they're doing this so quickly. So to me, because we've already been told that the Russians were supplying targeting information and intelligence to the Iranians, it feels very much like they were supplying this sort of trade craft.

A

Yeah, that makes sense to me.

B

Yeah. This is literally what the Russians do is they use shaheds and then they use attacks against municipalities to see what they hit and you know, when the work crews are going out so that they can try and make their lives more difficult. That's very much the sort of thing that it's like, you know, look, I, I can't actually help you with anything physical and concrete, but here's a great idea for, you know, how you can help yourself.

A

Yeah. Here's a sop Standard operating procedure. It also makes sense to me in the prior to the war starting, Iranian cyber peoples would have had different tasking and.

B

Right.

A

Like the whole point of this war is that it was a surprise attack. So I don't think they were spinning

B

up pre positioned necessarily. Right.

A

Yeah. For, for what happens after the surprise that we are not expecting. And so I, I, I think you're right. It makes sense to me that it's so quickly getting to the organizations they can do battle damage assessment is, is a sign of intelligence sharing.

B

Yeah. So I thought that was very interesting and I, I wonder if this is now sort of, will this become part of, I don't know if you'd want to say like second tier, but basically like if you're not the US and you don't have US military cyber capabilities, this is actually achievable by anyone. I mean like if you can, if you can launch a shahed, you can absolutely support a cyber team that can break into the provincial administration.

A

I mean I was thinking even for the US they've got tremendous ISR assets. What is it? Intelligence surveillance reconnaissance assets, like physical assets that fly around.

B

Yeah, but you're not going to get better than the guy who was on the ground who had to.

A

No, no, no. In denied areas. I think that that is, will give you a really good picture. But there's also other things that cyber espionage would give you on top of that. So even for a top tier espionage intelligence powerhouse there's additional stuff and once you take away that all that top tier, you know, billions of dollars of equipment. Yeah, I think you're right that the, the sort of tier 2 is it even tier 2? Probably tier 3 militaries by that point.

B

Exactly. Yeah, that's, that's more accurate I guess.

A

But they'll always have cyber, I guess.

B

Yeah. I think that this is going to be adopted by everyone because it just makes sense. Like if the US isn't doing it currently, they will be doing it shortly. They'll have to invent it themselves, of course. Like it's the sort of thing that cyber is very good at. Like it's something that you can't get anywhere else, which is the actual reports from on the ground.

A

Right, so the traffic camera type, stuff like that.

B

Exactly.

A

Right, yeah.

B

Or you know, even, you know, taking out the base station to prevent, you know, alert phone calls going through. That's the sort of thing that you can only do with cyber because any other attack would itself be an alert. Like any kinetic thing would be alert.

A

So you couldn't blow it up because.

B

Right. Literally defeat the purpose. But, you know, here's the sort of thing that I think is like, here's why I don't like these effects operations as they tend to get described. You know, like let's go after the electrical grid or the desalination plants or the whatever. Those are things that are sort of like they're pseudokinetic, like they're mimicking a kinetic capability. And during a war there's no reason to do that. If you have the kinetic capability. Like it's, you can blow it up and it's better.

A

Yeah, yeah. So this is an interesting thing in like there's, we're looking at a couple of different reports and one of them says, and it's from the head of Israel's national cyber authority, so his name is Yossi Karate. He says a lot of Israeli organizations and companies have been wiped, 50 of them, which I thought was like a, like that's a big number. But what was interesting is that there's no mention of a single attack on critical infrastructure, nothing disruptive. And I thought, I was frankly a bit surprised. And so I cannot believe that they're not capable of doing it somewhere.

B

Right.

A

Yeah, yeah, that's right. In the Gulf is big enough countries,

B

you've got like whatever, nine different countries that you can target.

A

Yep.

B

And you're telling me that there's not one single like desalination plant or electrical grid or sewage facility or water treatment, not one of them that they can hack. That's like, that's impossible.

A

And I think also the, the, you know, the war is a high interest environment. The media or high interest event. The media environment is such that even the most minor cyber attack on a

B

critical, even one that was stopped. Right?

A

Yeah, yeah. And like you Know, oh, they changed the screen to say Iran rocks. That would be, yeah, like that would be big news. I, I, I think we would have heard about it.

B

Yes. I mean, I, I think that if it wasn't reported by the country itself, the Iranians would have a lot of incentive to release it on their own. Right.

A

Like, yeah, so this is curious to me because I thought, I thought they would do those sorts of things now. Yeah, now it's appears like they're avoiding them, like actively avoiding doing that sort of thing.

B

Right.

A

Which I think is super interesting.

B

That might be an escalation risk. But see, I'm gonna say like there's a little bit of a twist here. So like the idea of like whether cyber is escalatory or non escalatory, it's, it was a very big discussion point in the international relations academic circles for a long time, which I think is like, I think it's a dumb discussion because it's a political decision whether you escalate or not. And it's got nothing to do with what happened. Right. Like you can decide, you press the

A

keyboard to do it.

B

Right. Like you can, you can escalate or not escalate of whatever you like, you know.

A

Yes. Yeah. I mean I think that's a perfect description of this war in that it seems to be driven by what particularly the US Feels or like, so, you know, there's a whole string of threats and withdrawals of threats from President Trump. And so I, this makes me think that we're not seeing those critical infrastructure attacks, attacks that, that does have a deterrent effect and that you don't want to. I mean, the only thing worse than blowing up all the critical infrastructure in the Gulf on purpose is to do it by accident. Yeah. Like the first would be terrible, but the, the second would be even worse,

B

would be a tragedy. Yeah, yeah. So it's a little bit like, you know, how North Korea cultivated the image of like the crazy dictator who was going to like they could do anything as a negotiating tactic and I think the US has one up them in just doing it much better. And I think you, I think you're absolutely right and I think it, it just to lay out exactly what you're suggesting is that if Iran hits, say the Bahrain electrical grid for a 30 minute blackout, that would get huge coverage, probably even on Fox News. As you know, Iranian cyber attacks destroy the grid. And the theory would then be that Trump would not want to be one upped in this case or he would feel that it needed to be responded to in some way. And so he would order attacks against Iranian electrical facilities and he wouldn't do it with cyber, he would go kinetic. So yeah, that would be, it'd be very rational to make sure that your responses are either things that the US can't do anything about, like the straight off Hormuz, or are 1 to 1 tit for tat.

A

Yep. Right.

B

So if the US the US hits something, then you hit a similar thing in one of their Gulf allies. That would be escalation management.

A

Yeah, yeah. So there was the, I think an Iranian desalination plant was hit.

B

Right.

A

Some, it was Bahrain. There was a, I guess you would call it a counter strike. Right.

B

So like, to be fair, the desalination plant was on an island that has like 200 people. So I'm not suggesting it was an accident so much as like, it's not quite the same as taking out like the desalination plants that support, you know, Riyadh or Qatar or Dubai or anything.

A

But I guess the point is that they responded with a missile rather than a cyber disruption.

B

Right. And that makes complete sense because you're trying to do an actual destruction attack and turning things off for 24 hours. I mean, it's not great. You wouldn't want that to happen. You wouldn't choose that if you had a choice. But if you had to choose between a bomb and a cyber attack, you would rather be hit with a cyber attack.

A

Yeah. So there's another article I'm looking at from the Financial Times and one of the things that someone says is that Iran's more threatening groups have been quieter. Top operatives have been methodically searching for vulnerabilities and let's say, scouting for entry points and positioning themselves in target networks. So this is from Alexander Leslie of Recorded Future. I don't know that person. It's not clear whether that's just random targets. Critical infrastructure. It's sort of. My reading was that it could be we're pre positioning in critical infrastructure. If the worst comes to the worst, then we will do that as well. I don't know. That kind of makes sense from a. Well, we may as well do it. But it doesn't really, I think, make any difference.

B

I mean like, let's say you're at the planning meeting. What do we do if there's a surprise attack by the Israelis and Americans and we have to respond? And the cyber guys are like, oh, oh, I've got an idea. And everyone's else like, yeah, anyway, so what should we do? Guys like serious Ideas only, you know, and they'd come out and they'd be like, you know, let's we'll do tit for tat retaliations with masals and heads and blah, blah, blah. And at some point the cyber guys are like, hey, should we like pre position on the electrical grid? And you know, the response was like, yeah, sure, whatever. You know, you do what you like, entertain yourselves. You, why don't you guys go away and come up with a plan and you can report back to us later.

A

I mean, I think the other hypothesis is that doing BDA for drone attacks is actually more valuable than

B

exactly like that's actually useful. Right. Even. Even doing ISR for future attacks. So if you do get onto an electrical station or a desalination plant, you're much better off using that access to find out where everything is, what the most vulnerable parts are, right?

A

Yep.

B

Things like, if this valve goes, it takes us three years to get a replacement part because the company's gone out of business. So we'd have to like forge a new one from scratch or whatever, you know, like that's the sort of thing that you want to know because it's like hitting. This is very, like very expensive. For example, right? When they were training SOE operatives to blow up locomotives in France, what you're supposed to do is the pistons that drive the wheels, you blow those up because even a small hole makes the entire piston useless. Whereas if you blow up, like if you blow a hole in the, like the big ass steam engine part in the front, you can patch that in a couple of hours, which is like a welding torch and a piece of metal. The pistons are like precision made things and they're very hard to get because they're not. So if you blow that up, the train is out for two weeks, whereas if you blow a hole anywhere else, it's out for a couple of hours. Right. So I'm sure that's the sort of information that you'd want to know when you're targeting an electrical plant. Because you won't necessarily know, like if we blow this thing up, how bad is it? And someone could say, oh yeah, like we have a billion of those in storage, you know, it'll take two days to replace. Whereas if you hit this thing, you know, there's only three of them in the country and there's no backups and it will take months to get a new piece, you know, and so you'd want to know where those are. What's like that information is actually valuable and useful Whereas turning the lights off is not. If I was in charge of the cyber teams, I would absolutely put forward, like, would this sort of information be useful to you as opposed to, you know, we can do something like that, only it's much worse and it lasts a very short time and it's very expensive and takes months of preparation and it might not work. Yeah, it's pretty much one to one.

A

The report, this is from the Israel National News, which is the one talking to the head of Israel's national Cyber authority. So that was. Karate explained that the attackers are not only focused on causing immediate damage because they had wiped out like 50 Israeli companies, but are also heavily engaged in intelligence gathering. The primary targets include engineering firms and civilian infrastructure.

B

Yeah, so engineering firms would be how you'd get. If you're going to be doing missile and drone attacks, you want to know how things are put together. I mean, that's my. Yep, that would be my read. Right.

A

And now here's an interesting one. He specifically mentioned an Iranian cyber attack that took over digital signs that Israel radio railway stations displaying panic inducing messages such as the subway is not safe right now. Ah.

B

What does that remind me of? I feel like some sort of sparrow of a predatory nature. Was that. It was a thing.

A

Yeah, that's the first thing I thought too. So, yeah, the, the backstory there is that is, well, very likely Israeli group Sparrow. Like they went, I think a step further. Right. And disrupted the train.

B

They disrupted the train. And then the message that they put up was like, the trains are not coming. If you have any issues, call. And then they gave the office of the. They gave the phone number for like the Ayatollah's personal office or something.

A

Yeah.

B

Which is very teenager in a way.

A

Yeah. So that's a callback. It felt like to me that that was a callback.

B

Right. So I mean, one of the things that it mentions here in the FT article was that the Israelis hijacked an Iranian prayer app to send out notifications that were sort of targeted at regime members to try and encourage them to defect and do a coup. Saying like, this is the only way to save your life. It seems similar in that using cyber, if you gain access to something that lets you message a million people, you could wipe it out and make them rebuild that thing for a day or two. Or you could also send a message to millions of people. The value of cyber here seems probably a little bit more leveraged towards intelligence and information operations and effects.

A

Yeah. I mean, in this particular case, it's about I guess it's changing the will of the people. Right. So it's hard to imagine you can do that by wiping the digital train signs at the train station.

B

Right.

A

We're sending a message like, you know, incremental. But I guess it's many incremental steps might make a difference.

B

Right. That's the thing that's interesting about the cyber so far is that we're not seeing, we are not seeing effect attacks against infrastructure, but we are seeing intelligence collection attacks against infrastructure.

A

I mean, he did say there were 50 companies that had been wiped.

B

Right.

A

But doesn't he say that any of those are critical infrastructure, though?

B

They also say that like during the, the 12 day war, like the previous thing, they recorded more than 50 offensive cyber attacks carried out by 20 different offensive groups involving hundreds of hackers. Those like, those numbers don't add up to me very well. Like they, they sort of do if you're assuming like really serious things. But then like, I don't know how, how do they class 50 offensive? Like, it seems like this would be actual breaches. Right. Because you can, you can. But then like, why would they restrict it to just that time? Like, why would you ever stop?

A

Right. I mean, he does say, like right at the end, he's stressed that even if the kinetic war with Iran and Hezbollah ends, there will be no ceasefire in cyberspace. We have seen this before on the day after the ceasefire of Operation Rising Line, which was the 12 Day War, was it June last year? The number of cyber attacks on Israel doubled. We must be prepared for that time as well. So I think from the perspective, and anyone who's thinking of cyber war like, that they don't end at the same time, I think is kind of telling you that they're different things.

B

Yeah, no, very much in that if you're Iran, it makes sense that when you stop getting bombed, you will stop bombing everyone else. Right. Because you don't want to be bombed. Right. But there's no reason to stop hacking. I mean, there's probably plenty of incentives to increase your hacking because it's one of the few ways that you can continue to retaliate or to try to cause pain that is not escalatory in the same way as blowing something out.

A

Right? Yeah. So I guess that's the best case for a resolution is that less bombs, but more cyber attacks make cyber, not war. Thanks, Craig.

B

Thanks, Tom.