The government of Iran vowed “forceful revenge” against the United States after Thursday’s killing of Major Gen. Qassem Soleimani, Iran’s top security and intelligence commander. It’s unclear what form that revenge might take, but cyber security experts are warning that Iran might use its increasingly capable army of hackers to attack US government and private sector targets. Such an operation could cause substantial damage without the use of more traditional military techniques.
“Soleimani was an extremely significant figure, and Iran will likely use any assets at its disposal to retaliate in a way that won’t spark an all out war,” Jake Williams, a former NSA hacker currently with Rendition Infosec, a company he founded after leaving government work, told Mother Jones. “I would expect to see destructive cyber attacks in at least a few networks where Iranian government hackers already have a presence.”
Williams said that in cases where nations are trying to avoid full-scale military conflict, “cyber attacks definitely level the playing field [and] allow you to create a response that impacts many without (generally) fearing kinetic retaliation.” Williams noted that Iran’s cyber capabilities are still “rudimentary” compared to Russia and China. Still, he said, Iran has hackers who are “building custom backdoors,” theoretically granting them access to sensitive computer systems.
John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye, said in a statement that along with increased Iranian espionage activities targeting government systems, his firm is anticipating “disruptive and destructive cyber attacks against the private sphere.” Iran has carried out this type of activity in the past, but in the wake of the 2015 US-Iran nuclear deal, “Iran has restrained similar activity to the Middle East.” President Donald Trump withdrew the US from that deal and reimposed sanctions on Iran in 2018. And after Thursday’s assassination, Iranian “resolve to target the US private sector could supplant previous restraint,” Hultquist said.
There’s little reason to think that Iran could pull off a truly spectacular attack, such as disabling major electric grids or other big utilities, said Robert M. Lee, an expert in industrial control systems security and the CEO of Dragos. “People should not be worried about large scale attacks and impacts that they can largely think about in movies and books like an electric grid going down.” Instead, Iran might choose targets that are less prominent and less secure. “The average citizen should not be concerned,” he said, “but security teams at [US] companies should be on a heightened sense of awareness.”
In June, Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, warned of a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” adding that Iranian-linked hackers were “increasingly using destructive ‘wiper’ attacks,” in which malware is designed to delete data from a computer. “What might start as an account compromise, where you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Krebs’ June comments came amid spiraling tensions between the two countries after the US blamed Iran for attacks on oil tankers in the Gulf of Oman. Shortly after the tanker attacks, Iran shot down a US drone it said was flying in Iranian airspace. Trump reportedly ordered airstrikes on Iranian targets after the drone incident but called them off at the last minute. Instead, the US government reportedly launched a cyber attack on Iranian computer systems used for planning attacks on the oil tankers. On Friday morning, Krebs tweeted out his June statement, noting that it was once again relevant “given recent developments.”
Under the Trump administration, the US government’s approach to cyber tools has become much more assertive than under the Obama administration, which relied much more on “norms, diplomacy, active law enforcement, and dissuasion and deterrence” to tamp down on nation-to-nation cyber attacks, Jacqueline G. Schneider, a cybersecurity expert at the Naval War College, wrote in May. That said, it was the Obama administration—building off work done under President George W. Bush—that deployed the Stuxnet malware against Iran’s nuclear program, marking a major milestone in the evolution of cyber warfare.
Like many other nations, Iran uses its cyber capabilities to accomplish a variety of goals, ranging from traditional espionage to relatively simple denial of service attacks to more destructive operations. In December 2018, Wired magazine’s Lily Hay Newman explained the history of a particular strain of malware known as Shamoon, which is designed to steal information and then wipe data from the targeted computers. While definitive attribution of cyber attacks can be difficult, over the years researchers have tied the malware to Iran and have seen it used against energy companies.
The first know Shamoon strike was a 2012 attack on Saudi Aramco, which deleted files on a majority of the oil company’s computers, replacing them with images of a burning American flag, the New York Times reported at the time. Also in 2012, Iran employed denial of service attacks against a group of US banks, overloading computer servers with traffic in order to render them inaccessible. In 2014, Iranian hackers attacked computer servers at casinos belonging to the Sheldon Adelson’s Sands company. Adelson, a prominent billionaire who is active in right-wing and pro-Israel causes, said in 2013 that the US should threaten to drop a nuclear bomb on Tehran.
Williams said attacks along the lines of Shamoon could happen now—but with one key difference. They would be carried out by hackers whose skills have “progressed significantly in the last several years,” potentially resulting in more damage than before.
Still, Lee said that when it comes to critical infrastructure, Americans shouldn’t panic. “Our infrastructure deserves more protection but is safe and largely resilient,” he said. “We should do more, but fear less.”