WASHINGTON – The U.S. must brace for Iran to launch bold cyberattacks designed to cause major financial damage or threaten American lives as retaliation for the killing of one of its top generals, cybersecurity experts say.
Security experts say that Iran may be willing to cross dangerous boundaries in cyberspace: For instance, they warn, Iranian hackers could launch attacks that shut down electricity for some Americans, destroy important financial records or disrupt hospital or transportation systems in ways that threaten lives.
“We’re in a more escalated situation than we’ve been in the past, and there are some serious questions about where the red lines are,” John Hultquist, director of intelligence analysis for the cybersecurity company FireEye, told me. “They may not have a problem with people getting hurt at this point.”
Experts are also warning Iran could launch widespread attacks against U.S. companies that encrypt their information and hold it for ransom or target U.S. government contractors to punish them for working with the Trump White House. Or they might target U.S. allies in the Middle East or U.S. diplomatic targets abroad.
“We’re definitely in new territory,” Robert Lee, founder of the cybersecurity firm Dragos, which protects major industrial systems, and a former National Security Agency official, told me.
Iran has routinely tested the boundaries of what it could get away with in cyberspace, including pummeling U.S. banks after the Obama administration imposed new sanctions in 2012 and hacking control systems at a New York dam in 2013. It also allegedly wiped data from tens of thousands of computers at the Saudi state oil company Aramco in 2012 in one of the most destructive digital attacks ever launched.
But it has always stopped short of launching the most serious attacks on U.S. targets. Experts fear it may soon abandon this restraint since the killing of Quds Force Commander Maj. Gen. Qasem Soleimani – who the Trump administration charged was planning major attacks against U.S. targets.
Still, there are limits to Iran’s capabilities. Lee says Iranian hackers aren’t sophisticated enough to launch an attack that could affect the whole nation; shutting off large portions of the electrical grid is not the true concern here. But they could disrupt electricity on a smaller scale, for instance, by targeting a U.S. city or portions of it. That could succeed by prompting widespread fear about a larger attack and, possibly, draw the U.S. into an even broader conflict by triggering an outsize response.
“It’s really hard to do these attacks, and you shouldn’t expect to see major blackouts across the U.S. as a whole,” Lee said. “My concern is that they’ll get a small win and we’ll overreact.”
Iranian hackers have gained access to U.S. industrial companies’ computer networks in the past, Lee told me, but there’s no public evidence they’ve launched destructive hacks once they’re in there.
Hultquist made a similar point on Twitter:
“Of course these actors will also be conducting cyber espionage on government and military targets now. We saw a spike in activity during tensions last summer that NSA publicly indicated was probably designed to understand policy maker thinking. . . .
“Another facet of the Iranian cyberthreat is the cyberattack (disruptive/destructive) capability posed by Iran. Will they cripple our society? I highly doubt it. Could they score some major blows against individual companies and maybe even the US sense of security? Absolutely.”
Government officials are also sounding alarms. Just hours after Friday’s U.S. airstrike that killed Soleimani, the Department of Homeland Security’s top cybersecurity official, Chris Krebs, warned U.S. businesses to raise their defenses against Iranian hacks. He wrote on Twitter:
“Given recent developments, re-upping our statement from the summer. Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses!”
By Saturday evening, Krebs’s agency was also monitoring the hack of a minor government website run by the Government Publishing Office, which was defaced with propaganda for Iran’s Islamic Revolutionary Guard Corps. There’s no confirmation tracing the hack to the Iranian government, agency spokeswoman Sara Sendek said.
Sen. Gary Peters of Michigan, the top Democrat on the Homeland Security Committee, also urged DHS to ramp up preparations for an Iranian cyberattack and called on the White House to brief Congress on its plans.
Tensions ratcheted up dramatically over the weekend with Iran suspending its commitments under the 2015 nuclear deal. Trump warned that if Iran took military action against the U.S., he would target Iranian cultural sites, which would constitute a war crime under international law.
Iran may want to delay any damaging cyberattacks until it’s clear how far the conflict will escalate, experts say. That’s especially likely because most highly damaging cyberattacks require months of advance work to surreptitiously break into a company’s computer networks – and attackers can only strike once before they’re discovered and kicked out.
“Iran will definitely use everything they have at their disposal eventually, but I don’t think a major cyberattack right this second makes sense,” Jake Williams, founder of the cybersecurity company Rendition Infosec and a former National Security Agency official told me. “Every piece of malware Iran uses now removes a bullet they can fire later to have a greater effect.”
There’s also a possibility, however, that Iran will be extra careful about crossing red lines with a cyberattack out of fear the Trump administration will retaliate much more aggressively than expected.
The Obama administration was wary of escalating hacking conflicts or of responding with military force, preferring to rely on indictments, sanctions and diplomatic tools. The Trump administration, however, has been much less predictable. Already on Sunday, Trump was warning that his administration might respond to Iranian attacks “in a disproportionate manner” – another possible violation of international law.
“All the lines are completely obliterated with this administration, and you don’t know how they’re going to react,” said Tony Cole, chief technology officer at Attivo Networks. “So [Iran] is going to have to tread carefully.”