The U.S. government feared Iran could learn from the sophisticated cyberattacks launched on its nuclear testing program and develop new tactics and strategies based on the attacks coming from its adversaries.
A top-secret National Security Agency document dated April 2013 reveals the U.S. government expressed concern about Iran's growing cyberattack capabilities the country learned by virtue of becoming the target of what is believed to be the first state-sponsored cyberattack in history. The document, revealed by whistleblower Edward Snowden and published by The Intercept, was prepared for a meeting between the NSA and the British Government Communications Headquarters (GCHQ).
"Iran's destructive cyberattack against Saudi Aramco is August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary," the document says (pdf). "Iran, having been a victim of a similar cyberattack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others."
The document is referring to the Wiper attack, a piece of malware that researchers at Kaspersky Lab say can "quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time." Wiper was the first known data destruction malware of its kind and was targeted at the computer networks of the Iranian Oil Ministry and the National Iranian Oil Company.
Shortly after the Wiper attack, a similar destructive attack obliterated the data stored in more than 30,000 computers owned by the oil company Saudi Aramco in 2012. It is widely believed that the Shamoon malware used for the Saudi Aramco attack was inspired by the Wiper malware that first infiltrated Iran's national oil industry. Like Wiper, Shamoon was designed to destroy the data first, then prevent the machines from rebooting. Shamoon showed a fragmented image of a burning American flag.
It also bears striking resemblance to other pieces of malware used to launch crippling attacks on other targets, including the attacks that rendered useless the networks of two South Korean media companies and three banks, destroying their ATMs and preventing a reboot, effectively freezing customers' ATM accounts. The malware used to infiltrate Sony Pictures' computer systems is also believed to have been patterned after the Wiper malware that inspired Shamoon.
The NSA document does not mention who is behind the Wiper attack. However, it does say that "SIGINT indicates that these attacks are in retaliation to Western activities against Iran's nuclear sector and that senior officials in the Iranian government are aware of these attacks." SIGINT is an NSA program designed to break encryption schemes used across the world.
These "Western activities" are believed to be the Stuxnet and Duqu attacks unleashed by joint U.S. and Israeli forces to destroy the machines that controlled the centrifuges used to enrich uranium for the Iranian nuclear program. Shortly after Stuxnet wreaked havoc on Iran's nuclear plans in 2010, security researchers raised red flags that Iran could learn from its attackers' activities, a warning that was also sounded within the private halls of the Western intelligence community.
At the time, the NSA said that there was "no indications... that Iran plans to conduct such an attack against a U.S. or U.K. target." However, it "cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime."
Of course, at the time the document was written, the NSA had no knowledge of a similarly destructive attack that would be taking place in late 2014. However, instead of going after critical infrastructures such as the oil industry, the attack was unleashed on a Hollywood studio. This time, too, it was not Iran that learned from U.S. cyberattacks but purportedly an angry North Korea unhappy with a movie mocking it's leader, Kim Jong Un.