With the surprise drone assassination of military commander Qassem Soleimani on January 3, tensions between the United States and Iran escalated to extreme levels in a matter of minutes. Iran raised a red flag of war over Holy Dome Jamkaran Mosque and responded with missile attacks on bases in Iraq; in turn, President Trump announced new sanctions on the country. A situation that had appeared to have the potential to boil into all-out war days ago seems to have simmered down for the moment, but Iran is also known to act through asymmetric warfare and proxy forces with some level of plausible deniability. Given that, is there an elevated threat of serious Iranian cyber attacks on US targets?
Ongoing Iranian cyber attacks
The recent events are the most dramatic in a long-running series of proxy attacks on the United States in the Middle East, to which the US usually responds with some sort of air strikes. The death of Soleimani was a direct response to the Iran-backed Hezbollah militia attack on the US embassy in Baghdad’s “Green Zone” (which in turn was a response to US airstrikes on Hezbollah installations).
In addition to proxy militias and terrorist organizations, Iran works in the shadows by way of cyber activity. Iranian cyber attacks have been ongoing for some time now, most recently an attack on Microsoft Outlook by state-backed advanced persistent threat group APT33.
Rosa Smothers, Senior VP of Cyber Operations of KnowBe4 and a highly decorated former CIA Technical Intelligence Officer with over a dozen years’ experience including multiple overseas tours, commented:
“We know APTs 33 and 34 are associated with Iranian state sponsored hackers. Every company in the SCADA and ICS space should already be proactive in safeguarding against these (and other) APTs; if we’re doing our jobs right, then admins aren’t in a state of emergency right now over the potential of Iranian implants lying dormant on our networks. It’s also important to keep in mind US CERT’s ongoing bulletins regarding Iranian cybersecurity threats, which consistently warn industry as to their go-to access methods – phishing attacks and password spraying.
“Critical infrastructure must remain vigilant and utilize security solutions such air gapping, deploying endpoint protections and training employees to spot and report social engineering and potential insider threats.”
Iran’s hackers are not as advanced as those of Russia and North Korea, but they are equally persistent. Given their lesser capability, Iranian cyber attacks tend to focus on softer targets – specifically, private companies in the US that contract with or have some connection to the government.
As the Forbes report indicates, the Iranian cyber attacks centrally focus on the oil and gas industry. This economic sector is Iran’s “nuclear option” in that shutting down the Strait of Hormuz for an extended period of time would dramatically spike global oil prices. Iran not only targets companies in the industry, but also job sites and recruitment agencies looking for ways to exploit individual employees.
Of course, Iranian hackers do not limit themselves to the oil and gas industry. Attacks on American infrastructure, banks, universities and lower-level government agencies have been attributed to groups based in Iran in recent years. Attacks from Iran slowed down considerably in 2015 after the nuclear deal was signed, and picked up after the United States withdrew from the deal in 2018.
How much damage could Iran do?
If Iran decided to go all-out with its cyber capabilities, it would likely leverage networks in which it already has a presence.
Erich Kron, Security Awareness Advocate for KnowBe4, said:
“Modern military actions and warfare has transcended from purely kinetic attacks to hybrid cyber and Kinetic attacks. It’s reasonable to expect that there will be a response on the cyber side, especially given Iran’s advanced capabilities in the space. There is the possibility they already have access to systems as part of their APT groups and may leverage these at any time with attacks on the public and private sectors.
“We can also expect that non-Iranian attackers will use the emotional tensions around the situation to craft phishing attacks designed to install malware or steal credentials. This is often the case around emotionally charged situations such as this.”
Though Iran has had occasional incursions into the computer systems of local utilities in the US, such as breaking into a dam in New York several years ago, it is very unlikely that the country could impact the electrical grid or cause similar large-scale disruption.
Theoretical Iranian cyber attacks would likely target private companies in industries that it already has strong familiarity with, such as oil and gas, and focus on destroying files rather than stealing data or securing ransom payments.
The current state of affairs
The national security situation is still touchy, but at least in terms of public posturing it would appear the White House and Iran have reached something of a detente. Iran’s Foreign Minister Mohammed Javad Zarif has stated that the country does not plan to escalate with further attacks.
The retaliatory Iran missile strike on the Iraq bases does not appear to have caused any casualties, and may well have been calculated by the country as a face-saving move. President Trump’s threatened response of sanctions would not likely trigger more attacks, as Iran is already heavily sanctioned.
That does not mean that Iran will not engage in asymmetric cyber warfare, however, as it is an area in which it has plausible deniability and opportunity. But some of the panicky news reports invoking the possibility of Iran shutting down the US power grid seem extremely far-fetched at this point.
Statements from the Iranian government characterized the Trump administration as the country’s targets, and not the American people.
Those are just words, of course, but Iranian cyber attacks have focused on Trump before. In October, Microsoft reported that Iranian hackers were targeting thousands of government officials and journalists associated with political campaigns. The New York Times quoted insiders who said that the hacking was focused on Trump’s re-election campaign.
Buzzfeed also reported that a coordinated effort from pro-Iran activists on Instagram focused on tagging Trump family members in thousands of messages of revenge in recent days.
Given all of this, upcoming Iranian hacks might focus on interference with the Trump re-election campaign as Russian hackers did for the opposite side in 2016.