LONDON — The retaliation that Iran promised in the aftermath of a US airstrike that killed the country's most powerful military leader could take the form of massive cyberattacks.
Gen. Qassem Soleimani was killed in an airstrike ordered by US President Donald Trump. Soleimani was behind Iran's Middle East operations as head of the elite Quds Force, and the Pentagon said the targeted strike was meant to deter future attacks by Iran.
Iran has one of the world’s most active state-sponsored cybersecurity programs. According to the US, its hackers have carried out attacks targeting several American financial institutions including the New York Stock Exchange and the NASDAQ since 2011, and even broke into the computer system of a dam north of New York City in 2013.
Security analysts said Iran could strike US private sector targets again, and it is also possible that its hackers could seek to strike US critical infrastructure or that of its allies.
John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye, said he expected to see an uptick in espionage focused on government systems and “disruptive and destructive cyberattacks against the private sphere.”
Iranian hackers have tried to break into US utilities, factories, and oil and gas facilities, Robert M. Lee, the chief executive of industrial control system security firm Dragos, told the Associated Press.
Christopher Krebs, director of the US Cybersecurity and Infrastructure Security Agency (CISA), said on Twitter that people should “pay close attention” to industrial systems.
He linked to a statement from June in which he stated, “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.”
Given recent developments, re-upping our statement from the summer. Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
One reason Iran may have focused on building its cyber-capabilities is that its conventional military forces are no match for the US. Cyberattacks are one way for the country to gain an advantage over the US and its allies.
"Iran's military capabilities are not on par with the US. Relying on cyberattacks makes sense for them — that's what they thrive at, asymmetrical warfare,” said Holly Dagres, a nonresident fellow at the Atlantic Council and editor of its IranSource blog.
Iranian hackers have likely also gone after many targets in the Middle East in the past several years according to cybersecurity experts. In 2012, three-fourths of the corporate computers of state-owned Saudi Aramco — the world’s largest oil company — had their data erased in an attack blamed by US and Saudi officials on Iran. And a blackout in 2015 that left some 40 million people without power in Turkey was blamed on an Iranian hacking group.
Iran has also been the victim of cyberattacks. In an early example, Iran’s nuclear facility at Natanz faced a cyberattack that reportedly set back its enrichment process significantly in 2010. That attack has been widely blamed on the US and Israel, though neither has explicitly claimed responsibility for it. After that, Iran poured resources into building its own cyber-capabilities.
The Trump administration has reversed the course of former president Barack Obama’s Iran policy, pulling back from a nuclear deal with Iran and escalating economic pressure by implementing new sanctions on the country.
Iran had pulled back from such cyberattacks targeting the US financial sector after the Obama administration’s Iran deal but could begin again in retaliation for the Soleimani killing, FireEye’s Hultquist said.
“Given the gravity of the operation last evening we are anticipating an elevated threat from Iranian cyberthreat actors,” he said. “Iran has leveraged wiper malware in destructive attacks on several occasions in recent years.”