Red Sea Crisis and the Risk of Cyber Fallout

By Stan Vitek, Resident Geopolitical Analyst, Cyfirma

Introduction

As Israel’s military campaign in Gaza continues, the United States as a political sponsor of Israel is contending with regional provocations by several members of the Iranian-aligned “axis of resistance.” These are inevitably gonna involve US forces, Israel and their allies. A wave of Houthi missile attacks has spooked shipping companies and energy markets as latent Iranian cyber threat looms beyond. Tehran has warned of further attacks beyond the reach of its kinetic means, which likely implies a threat of cyber attacks on critical infrastructure and logistical hubs on global shipping routes. Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks, data and critical infrastructure. Iran’s opportunistic approach to cyber attacks makes critical infrastructure and logistical hubs operators susceptible to being targeted.

Major shipping companies such as Hapag-Lloyd, Evergreen Line, Maersk or MSC are avoiding the Red Sea with some of their ships because of attacks by the Houthi terrorist group. They are diverting their vessels to the Cape of Good Hope at the southern tip of Africa, which makes sailing to Europe much more expensive and time consuming. The United States responded by announcing Operation Prosperity Guardian, which aims to protect world trade from the Houthi threat.

The Red Sea Crisis

Backed by Iran, the Houthi rebel group controls vast swaths of northern Yemen, following a yearslong effort to gain power that ultimately plunged the country into a devastating civil war in 2014. After years of fighting between the Iran-armed Houthis and a Saudi-led coalition, at least 377,000 people had been killed by the end of 2021, 70 percent of whom were children younger than 5, according to U.N. estimates.

Experts say the Houthis’ Red Sea attacks are part of a bid to shore up domestic support and strengthen the group’s regional standing, while the Houthis’ popularity has only grown since they began waging these attacks. As part of Iran’s “Axis of Resistance,” the Houthis have vowed to attack ships transiting the Red Sea until Israel ends its bombardment of Gaza. By attacking ships heading toward Israel, Iran, through its Houthi proxies, is essentially doing what Washington and the West does with economic sanctions – imposing secondary financial costs on some policy actions by Israel, the US and their allies.

New freight charges reflecting the crisis in the Red Sea have already been announced by all the major shipping companies. CMA CGM, Hapag-Lloyd and Maersk are all set to raise prices on many of the world’s busiest trade routes. “The dynamic situation in the Red Sea and the necessary operational adjustments are causing disruption across the network, which will impact shipping schedules and supply,” Hapag-Lloyd reported last week. In a published statement, it additionally introduced an “Emergency Revenue Charge” for Red Sea freight, which should cover the additional costs of heightened security and naval insurance. This measure will increase the price of a regular 20-foot container by $1,000 on the route from the Mediterranean and by $1,500 on the route from the Gulf of Aden. Similar steps have been taken by other major freight companies. If higher shipping costs are reflected in the price of the consumer goods transported, the geopolitical crisis in the Red Sea will be felt by end customers in Europe, Aisa and further across the globe.

30% of the world’s container traffic flows through the narrow waterway between the Arabian Peninsula and Africa, while ships in general account for more than 80% of world trade, which flows mainly through chokepoints like Suez, strait of Malacca, Taiwan strait or the Panama canal. The Houthi attacks therefore are not only attacking individual vessels, but the entire international community and global economic prosperity. The United States and their allies have a significant interest in maintaining the security of the Red Sea, not only because of defence commitments to Israel and US allies in the Persian Gulf like Saudi Arabia, but also to guarantee freedom of navigation and to protect free maritime trade, which serves as the bedrock of the global GDP rise since the Second World War.

On January 4th, U.S. Navy’s 5th Fleet stated that Houthis launched a naval-surface suicide drone into a commercial shipping lane in the Red Sea today, in the first attack of its kind by the Houthis who usually use aerial drones and missiles; the drone reportedly exploded off the coast of Yemen not causing any damage in what is believed to be 25th attempted attack on shipping vessels in the region since October 7th.

Furthermore, there have now been more than 100 attacks against U.S. and allied forces based in Iraq and Syria since mid-October, and repeated attacks by the Houthis based in Yemen. According to US defense officials, more than 100 drones and missiles have been fired in recent weeks against vessels, in addition to targeting Israel and flying through Saudi territory. In response, Washington announced the establishment of a multinational naval task force, dubbed Operation Prosperity Guardian, to support freedom of navigation in key Red Sea waterways. The operation is set to include Bahrain, Canada, France, Greece, Italy, the Netherlands, Norway, Seychelles, Spain, and the United Kingdom, U.S. officials said, although details are still murky and there remains ongoing confusion about what it will look like. Italy, for example, has said it is sending a frigate to the Red Sea under its long-standing plans – not as part of Operation Prosperity Guardian. Several other countries also agreed to take part in the task force but preferred to remain anonymous or not join the American command structure – for example Arab countries depend on freedom of navigation but don’t want to be seen as defending Israel just now, since the Houthis are linking their attacks to Israeli war on Hamas in the Gaza strip.

America’s broad approach has so far been primarily reactive in nature and limited in scope, though media reports suggest at least some debate within the U.S. President Biden’s administration over a more robust response. Those calls will likely increase in the event of a major incident like successful targeting of U.S. flagged allied warships or deadly attacks on coalition troops in the region or potentially even a large-scale cyber attack. There is a continuous risk of serious escalation and Iran possess the tools to disrupt critical infrastructure in Saudi Arabia not only by drones and rockets, as already demonstrated in the 2019 Abqaiq–Khurais attack, but also by means of cyber warfare, as demonstrated by the largescale hack of Saudi Aramco in 2012. The Saudi Aramco incident signaled Iran’s growing cyber capabilities and Tehran’s willingness to use them to promote its interests, particularly in its battle of influence in the Middle East with Saudi Arabia. At the time, some countries had the capability to remotely destroy computer data, but there were few publicly known instances of a country using them. But nowadays, Iran is among world leaders in terms of using cyber warfare as a tool of statecraft. While Iran is not likely to escalate itself in the Gulf and be seen as the party that breached the China-brokered peace deal with Saudi Arabia, the pressure from China is not inhibiting Iranian actions against the West, Israel or the anti-Houthi naval coalition. And while Hezbollah is not going to act without permission from Tehran, the Houthis and other groups in the region can act against the same targets on their own.

The Cyber Perspective

While Iran uses its proxy forces for the grand majority of attacks on its rivals, the partial deniability provided by cyber warfare leaves Iran’s own tools on the table, even as Iran hesitates to confront its rivals openly by kinetic means. Iranian hackers have been repeatedly successful in gaining access to emails from an array of targets, including government staff members in the Middle East and the US, militaries, telecommunications companies or critical infrastructure operators. The malware used to infiltrate the computers is increasingly more sophisticated and is often able to map out the networks the hackers had broken into, providing Iran with a blueprint of the underlying cyberinfrastructure that could prove helpful for planning and executing future attacks.

During the last 5 years, from the 12 biggest publicly known cyber attacks on Saudi Arabia, Iran was responsible for 8 of them. In these attacks, Iranian APTs like MuddyWater, Cotton Sandstorm or Static Kitten have been focusing on traditional espionage targets like governmental organizations (in case of Saudi Arabia Ministry of Defense for example), telecommunication or aviation but also the oil industry, transportation and critical infrastructure. Iran has been rapidly accelerating cyberattacks since mid-2022. Moreover, Iran is now supplementing its traditional cyberattacks with a new playbook, leveraging cyber-enabled influence operations (IO) to achieve its geopolitical aims. Supreme National Security Council (SNSC) Secretary Rear Admiral Ali Akbar Ahmadian has called for greater cyber security cooperation among BRICS countries during a Friends of BRICS National Security Advisors meeting in Johannesburg, South Africa last summer. Iran is likely trying to tap into Chinese and Russian expertise in “soft war”, which is an Iranian doctrinal term that refers to the use of nonmilitary means, such as economic and psychological pressure and information operations, to erode regime legitimacy, cultivate domestic opposition, and propagate Western values in Iran. While – like Russia – Iran expresses the belief “soft war” is a tool mostly used by the West, its own actions in cyberspace and other fronts testify to the fact that Iran is increasingly using “soft war” as its very own tool of statecraft.

Iran’s minister of defense, Brig. Gen. Mohammad Reza Ashtiani, confirmed as much in a speech to his country’s defense officials last year, in which he outlined that given the current complex security situation in the Middle East, Iran had to redefine its national defenses beyond its geographic borders. According to Mrs. Ashtiani, that means utilizing new warfare strategies – including the use of space, cyberspace and other ways.

Iran’s showing fast evolving capabilities as it has narrowed the gap with other powers opposing the West like Russia and China. Iranian hackers used the relieving of pressure provided by the nuclear deal and focused their energy on regional targets like Saudi Arabia, where they have consistently been trying to embed themselves in critical networks in order to prepare vectors of attack should the regime command the ‎IRGC and the Ministry of Intelligence to do so.

Iran has also seemingly concluded that the Houthis’ experiment in the Red Sea has been so successful that it bears repeating in the Mediterranean and in other waterways. “They shall soon await the closure of the Mediterranean Sea, [the Strait of] Gibraltar and other waterways,” Brig. Gen. Mohammad Reza Naqdi, the coordinating commander of Iran’s Islamic Revolutionary Guard Corps, told Iranian media on Dec. 23, apparently referring to the international community. Since Iran does not possess kinetic strike capability to target targets that far, we can assume he’s referring to Iran’s cyber capabilities and the regime’s apparent willingness to use them should Tehran feel threatened, which can easily happen in a tense situation like the one that exists in the region nowadays.

Iran’s growing expertise and willingness to conduct aggressive cyber operations make it a major threat to the security of U.S. and allied networks, data and critical infrastructure. Iran’s opportunistic approach to cyber attacks makes critical infrastructure and logistical hubs operators susceptible to being targeted. In December IRGC-Affiliated hackers were able to exploit PLCs in multiple sectors, including U.S. water and wastewater systems facilities. Since Iran often uses cyber as a pillar of deterrence, this cyber attack may have been a warning of possible retaliation by cyber means, should Iran’s enemies overstep boundaries laid by the regime. The logistics industry, being a critical part of infrastructure, confronts substantial risks from advanced threat actors from Iran and beyond. Data we have recently published on the industry reveals a consistent pattern of attacks, with a clear emphasis on developed economies and major global logistics hubs. Although true that the detection of APT campaigns has declined, a correlation between the current geopolitical landscape and the most targeted countries remains evident. Any further escalation in the Red Sea thus threatens to bring a large-scale cyber attack with it, with logistical hubs and other critical infrastructure being the most threatened sectors. Moreover, countries participating in the Operation Prosperity Guardian are more likely to be targeted in cyberspace than others.

About the Author

Stan Vitek is a Resident International Relations Analyst at Cyfirma, working for technology companies in Southeast Asia and the US since graduation from International Security Studies at Charles University in Prague in 2019. He focuses on international relations and security issues, especially on those revolving around West-East axis.

Stan can be reached online at ([email protected], https://twitter.com/FogOfWarCZ ) and at the company website https://www.cyfirma.com