Admission Means Weakness and a Lack of Religious Legitimacy

Why Iran will not admit the hacks were internally sourced

We recently wrote a report on the internal hack of air gapped and other Iranian systems. Let’s take a closer look.

https://treadstone71.com/when-the-threat-actor-and-victim-agree

Exfiltrating 50 terabytes of data from a system in Iran—or any other country—facing the limitations you described in the report would indeed be a significant challenge. Here are some considerations: With an internal speed of 12 Mbps, downloading 50 TB would take an exceptionally long time—years. Even ignoring detection mechanisms, the bandwidth constraint is a significant barrier. Air-gapped systems are isolated from external networks to prevent cyber-attacks. Jumping the "air gap" typically requires physical access to the system, making it even more challenging to exfiltrate data covertly. Given these challenges, some alternative scenarios for a data breach might involve:

Someone with physical access to the air-gapped system would copy data onto physical storage devices. Even this would be challenging given the volume of data requiring multiple trips and many storage devices.

Incrementally moving data to a less secure system over an extended period, then exfiltrated in bulk or staged releases, would work, but this does not solve the bandwidth issue but could bypass air-gapping.

Domestic Hacktivists Pose a Different Kind of Threat to Iran (intpolicydigest.org)

Advanced compression algorithms reduce the volume of data for transfer, but 50 TB is so substantial that compression alone is unlikely to solve the problem.

Malware like Stuxnet has been used to infiltrate air-gapped systems. Such malware could potentially automate the process of data compression and covert exfiltration but would require physical access to the system at some point. Iran mentions nothing of any malware. Malware of this type, such as Stuxnet, leaves traces and cyber weapons in the hands of the adversary.

An insider manipulates local networking equipment, creating a temporary high-speed connection for exfiltration. The connection requires overcoming multiple layers of security, and the likelihood of detection is exceedingly high.

Some advanced techniques involve using malware to manipulate the hardware of an air-gapped system to emit electromagnetic signals for nearby signal capture. However, the data rates for these methods are meager, making them impractical for large volumes of data.

Coercing an insider to facilitate the data exfiltration, although this substantially increases the risk of detection. Given the described constraints, successfully exfiltrating fifty terabytes of data undetected would be an enormous, if not impossible, challenge. It would likely require long-term efforts, a deep understanding of the system's architecture, sophisticated technical skills, and possibly in-depth assistance. Even then, the likelihood of going undetected would be extremely low, given the volume of data and the bandwidth limitations.

If Iran were to face an insider threat leading to the theft of 50 terabytes of data, there are several Iran-specific reasons why the government might choose not to admit this publicly. These reasons include sanctions pressure, exposure to their nuclear program, and diplomatic sensitivity. But the most significant issues deal with the insider threat and how this shows continued dissension and unrest. The past year after the death of Mahsa Amini, combined with Iran's history of civil unrest and public protests against the government, adds more fuel to domestic opposition and unrest. The Iranian government often positions itself as a strong and competent protector of the Iranian people against both internal and external threats. Admitting to a significant breach undermines this false narrative.

Admitting such a significant data breach would raise immediate questions about the security of other classified and sensitive information. Publicly acknowledging an insider threat at such a scale would be a considerable embarrassment, weakening the government's perceived competence and control. Such an admission could lead to distrust within the organization, affecting morale and potentially causing infighting among factions suspicious of each other while leading to extensive paranoia and internal suspicions. Acknowledging an insider threat necessitates a broad security overhaul, which would be resource-intensive and further expose vulnerabilities in the short term.

The ideological framework within which the Iranian government operates may make it particularly unwilling to admit to failures seen as betraying the revolution or the nation. Iran's Revolutionary Guard Corps (IRGC), a heavily sanctioned, powerful military and political force, plays a significant role in cybersecurity. An admission of this scale further weakens the standing of the IRGC within Iran. Iran has been working hard to develop its cyber capabilities defensively and offensively. Acknowledging such a large-scale internal failure counters the image it is trying to project.

The question of religious legitimacy is core to Iran's theocratic governance structure. In Islamic teachings, trustworthiness (Amanah) is highly valued. A breach facilitated by an insider could be seen as a fundamental breakdown of this principle within the organization, extending to a critique of the government's failure to prevent such betrayals. One of the critical principles in Islam is upholding justice (Adl). If insider hacks expose injustices revealed in the leaked data, the argument against the government's religious legitimacy is valid. The internal data breach jeopardizes national security, which frames the regime's sacred duty to protect the community as a failure. The insider hacks exposed corruption within the government, seen as evidence of fitna (sedition), a disorder viewed negatively in Islamic thought. In Shiite Islam, which is predominant in Iran, the concept of "Vilayat-e Faqih" (Guardianship of the Islamic Jurist) underpins the authority of the country's religious leaders. The corruption seen in released documents from Gyamsarnegouni—or "Uprising Until Overthrow" demonstrates internal betrayal, prompting questions about the effectiveness and legitimacy of the leadership. Lastly, success and protection are markers of divine favor in many religious contexts. The internal breach of the 50 terabytes of data shows the government lacks this divine favor, questioning its religious legitimacy.

Given these factors, the cost of admitting to such a large-scale data breach would be exceptionally high for Iran, affecting its cybersecurity posture, geopolitical standing, religious legitimacy, domestic stability, and diplomatic efforts.