After the Stuxnet digital weapon was discovered on machines in Iran in 2010, many security researchers warned that US adversaries would learn from this and other US attacks and develop similar techniques to target America and its allies.

A newly published document leaked by Edward Snowden indicates that the NSA feared the same thing and that Iran may already be doing exactly this. The NSA document from April 2013, published today by The Intercept, shows the US intelligence community is worried that Iran has learned from attacks like Stuxnet, Flame and Duqu—all of which were created by the same teams—in order to improve its own capabilities.

The document suggests that such attacks don't just invite counterattacks but also school adversaries on new techniques and tools to use in their counterattacks, allowing them to increase the sophistication of these assaults. Iran, the document states, "has demonstrated a clear ability to learn from the capabilities and actions of others."

The document, which was prepared for a meeting between the NSA director and the British spy agency Government Communications Headquarters, doesn't mention the Stuxnet attack by name, but instead refers to "Western attacks against Iran's nuclear sector." Stuxnet targeted machines controlling centrifuges in Iran that were being used to enrich uranium for Iran's program.

In addition to attacks against Iran's nuclear sector, however, the document also states that Iran learned from a different attack that struck its oil industry. The report says Iran then replicated the techniques of that attack in a subsequent attack called Shamoon that targeted Saudi Arabia's oil conglomerate, Saudi Aramco.

“Iran’s destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary,” the NSA document states. “Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.”

How Wiper Inspired Copycat Attacks

The latter statement in the document is referring to the so-called Wiper attack, an aggressive and destructive piece of malware that targeted machines belonging to the Iranian Oil Ministry and the National Iranian Oil Company in April 2012. Wiper didn't steal data—instead it destroyed it, first wiping content on the machines before systematically erasing system files, causing the systems to crash, and preventing them from rebooting. Wiper was “designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time," according to researchers at Kaspersky Lab who examined the mirror images of hard drives in Iran that were destroyed by Wiper.

Wiper was the first known data destruction attack of its kind. Although the NSA document doesn't credit the US and its allies for launching the attack, Kaspersky researchers found that it shared some circumstantial hallmarks of the Duqu and Stuxnet attacks, suggesting that Wiper might have been created and unleashed on Iran by the US or Israel.

Many believe it served as inspiration for Shamoon, a subsequent destructive attack that struck computers belonging to Saudi Aramco in August 2012. The document claims Iran was behind Shamoon. The Shamoon malware wiped data from about 30,000 machines before overwriting the Master Boot Record, preventing machines from rebooting. The attack was designed to replace erased data with an image of a burning US American flag, though the malware contained a bug that prevented the flag image from completely unfurling on machines. Instead, only a fragment of the flag appeared. Researchers said at the time that Shamoon was a copycat attack that mimicked Wiper.

Wiper is also believed to have inspired a destructive attack that struck computers belonging to banks and media companies in South Korea in March 2013. That attack wiped the hard drives and Master Boot Record of at least three banks and two media companies simultaneously and reportedly put some ATMs out of operation, preventing South Koreans from withdrawing cash from them. The report does not suggest that Iran was behind this attack.

Wiper is also widely believed to have been inspiration for the recent hack of Sony Pictures Entertainment. Again, in the latter attack, the hackers wiped data from Sony systems and overwrote parts of the Master Boot Record, preventing systems from rebooting.

The US has long blamed the Saudi Aramco attack on Iran, but has blamed the South Korea and Sony hacks on North Korea. Although the NSA document published today cites the Saudi Aramco attack as "the first such attack the NSA has observed from this adversary," researchers have disputed the attribution in this and the hacks against South Korea and Sony. A group calling itself the Cutting Sword of Justice took credit for the Saudi Aramco attack, and researchers from Kaspersky Lab noted that due to the attack's unsophisticated design, the errors contained in it, and statements from the apparent hackers, they believe it more likely came from hacktivists rather than nation-state developers in Iran. Other researchers have found the attribution of the Sony and South Korea attacks circumstantial and flimsy.

Regardless of whether Iran is behind the Shamoon attack, there's no question that it and other nations learn from cyberattacks launched by the US and its allies. Common cybercriminals also study Stuxnet and the like to learn new techniques for evading detection and stealing data.

The NSA document published by The Intercept noted that while there were no indications in 2013 that Iran planned to conduct a destructive attack against a US or UK target similar to Wiper, "we cannot rule out the possibility of such an attack, especially in the face of increased international pressure on the regime."

Of course, a similar attack did strike the US. But instead of hitting the US oil industry or a similarly critical sector, it struck a Hollywood film studio. And instead of coming from Iran, it came this time (according to the White House and FBI) from North Korea. All of which suggests that when the US and Israeli strike their enemies, it isn't just that single adversary who learns from the attack.