The loss of an RQ-4A UAV over the Persian Gulf in June prompted USCYBERCOM to perform its first offensive cyber operations.

US Cyber Command may have used new capabilities to attack Iran’s Integrated Air Defence System, following the shoot down of a UAV in June.

US Cyber Command (USCYBERCOM) was directed by US President Donald Trump to perform cyber attacks after the downing of a US Navy Northrop Grumman RQ-4A Global Hawk Unmanned Aerial Vehicle (UAV) by an Iranian Sayyad-2C/3 long-range/high-altitude surface-to-air missile on 20 June. Reports stated attacks soon after the shoot down and represented the first offensive use of USCYBERCOM since it became a full combatant command in May 2018.

Reports from the British Broadcasting Corporation said that the attacks had disabled computers “controlling rocket and missile launchers” taking them offline for sometime. These computers could have included computers controlling Iran’s overall Integrated Air Defence System (IADS). This may have prevented them from sharing the IADS’ recognised air picture, or relevant track or other tactical information with individual Surface-to-Air Missile (SAM) batteries. Alternatively, the may have been directed against the C2 systems controlling individual SAM batteries, or both.

Although reports stated that the Iranian armed forces had taken strenuous efforts to safeguard their IADS C2 (Command and Control) networks against cyber attack by ‘air gapping’ them to the fullest extent possible, i.e. minimising the number of telecommunication connections they have to the outside world, it will be virtually impossible to have a hermetically sealed IADS. All IADS have apertures which can be exploited for a cyber attack. Pictures of the Sayyad-2C/3 batteries show RF (Radio Frequency) antennas adorning vehicles which may provide communications between launch and command vehicles when the batteries are deployed. These antennas could be exploited to insert a cyber attack into the batteries’ C2 systems. Similarly, disparate IADS C2 facilities may used RF links to communicate with one another alongside buried fibre optic networks. Microwave communications carrying these RF links represent another potential entry point for a cyber attack.

The circumstances of the RQ-4A’s loss may provide a partial clue. Confidential sources close to the US Air Force electronic warfare community have hinted to Armada Analysis that the RQ-4A may have been deliberately flown into, or near, Iranian air space to encourage Iranian air defenders to activate their radars and weapons. Once the attack was underway the RQ-4A may have used its own Raytheon AN/APR-49(V)2 radar warning receiver to record details of the aircraft’s detection and interception. This Electronic Intelligence (ELINT) could have been streamed across the UAV’s satellite communications back to the aircraft’s ground control station thought to be located at Al Dharfra airbase, Qatar. The Iranian government claimed that it could have splashed a second US military aircraft flying nearby which had 35 people on-board which it claimed was a US Navy Boeing P-8A Poseidon maritime patrol aircraft, the presence of the aircraft was later confirmed by the US government. This ELINT may have helped to identify nearby ground-based air surveillance radars which could be exploited to introduce a cyber attack.

The attack itself may have been executed with elements of USCYBERCOM’s new Northrop Grumman Unified Platform offensive and defensive cyber operations system. The Unified Platform programme, which was awarded to Northrop Grumman in October 2018, will initially integrate the disparate cyber warfare capabilities currently owned by the US Army’s Cyber Command, the US Navy’s Fleet Cyber Command, the US Air Force’s 24th Air Force and the US Marine Corps’ Cyberspace Command. Previously, these respective capabilities were reportedly furnished by the US National Security Agency (NSA); the US government organisation responsible for electronic eavesdropping. A doctrinal issue in the fact that the NSA is primarily a ‘listening’, i.e. passive, organisation whereas cyber warfare is inherently active drove the need for the command to possess its own offensive cyber capabilities. Taking cyber operations out of the NSA would also prevent the agency being discovered as the source of a cyber attack.

Sources close to the Unified Platform told the author in late 2018 that the system could reach a prototype stage between 2019 and 2021 capable of offering basic functions to cyber warriors. Given these timelines, it would not be surprising if baseline elements of the Unified Platform either unilaterally, or in combination with existing NSA cyber tools, were employed to execute the cyber attack against Iran’s IADS.

by Dr. Thomas Withington