Iranian hackers in recent years have wiped the computer servers of Saudi Arabia’s state-owned oil company, crippled a Las Vegas casino, breached the networks of dozens of U.S. banks and been accused of trying to meddle in the 2020 presidential election.
Now Iran’s history of aggressive cyberattacks offers Tehran one potential avenue for striking back at the West for the U.S. killing of Maj. Gen. Qassem Soleimani, whose death prompted Supreme Leader Ayatollah Ali Khamenei to vow “harsh retaliation.”
The U.S. certainly has its own potent cyber weapons, which it most famously deployed by using a computer virus to wreck key parts of Iran’s nuclear program during the Obama administration. But a series of escalating digital salvos between the U.S. and Iran could inflict damage on a range of third parties, including American allies such as Saudi Arabia and critical resources such as the electric grid, cyber researchers said Friday.
“Iran has to do something,” one former U.S. intelligence official told POLITICO on Friday. The question: Would the Iranians go so far as to launch an obvious cyberattack on U.S. soil — running the risk that the United States might retaliate with bombs or drones?
A history of aggression
Tehran is widely considered to be one of the world’s most malicious online actors — alongside China, Russia and North Korea — and has a lengthy rap sheet of transgressions with an increasingly sophisticated arsenal of digital weapons.
One of its specialties is so-called wiper attacks, in which malicious software erases the hard drives of infected computers. Those include a massive 2012 hack on the Saudi Arabian oil company Saudi Aramco that is reported to have debilitated an estimated 30,000 computers.
In 2016, the U.S. brought indictments against seven Iranians on charges they had infiltrated the computers of dozens of American banks and attempted to take control of a small dam in a New York suburb. The defendants regularly worked for Iran’s Islamic Revolutionary Guards Corps, according to the Justice Department, which said the attacks disabled some of the banks’ computers by bombarding them with traffic from thousands of machines around the globe.
Iranian hackers were also held responsible for a cyberattack on GOP megadonor Sheldon Adelson’s Las Vegas Sands Corp. in 2014. The assault temporarily crippled the casino and replaced the company’s websites with a photograph of Adelson with Israeli Prime Minister Benjamin Netanyahu.
Iran “uses cyberspace operations as a tool of statecraft and internal security, and it continues to improve its capabilities,” the Defense Intelligence Agency warned in November in an examination of Tehran’s military goals and intentions, including in cyberspace. The agency added that while Tehran “often masks its cyberoperations using proxies to maintain plausible deniability,” clear evidence often links the attacks “to Iran’s security apparatus.”
A growing chorus of warnings
Those conclusions were just part of what has become a steady drumbeat in recent months by the government and private cybersecurity firms that Iran was becoming more aggressive online.
In October, Microsoft announced that hackers linked to the Iranian government have targeted the campaign of at least one 2020 White House contender, which Reuters reported was President Donald Trump. The technology giant also witnessed “significant” digital activity by the group against current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside of Iran.
And last month, a Microsoft researcher presented evidence that an Iranian hacker group has narrowed its choice of infiltration targets to those linked to industrial control systems, the computers that operate facilities such as power plants and factories.
The warnings have experts predicting that Iran will once more turn to its army of hackers to retaliate for losing an elite commander like Soleimani.
“Given the gravity of the operation last evening we are anticipating an elevated threat from Iranian cyber actors,” John Hultquist, director of intelligence analysis at the security firm FireEye, said in a statement.
“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” he added. “We also anticipate disruptive and destructive cyberattacks against the private sector.”
According to a former U.S. intelligence official, the Saudis especially have reason for nervousness.
That doesn’t mean that the Iranians could turn out the lights in New York City tomorrow.
Robert Lee, a former Air Force cyber operator and the CEO of security firm Dragos, told POLITICO he is “not worried about electric grid outages or safety related attacks at oil refineries and similar locations” in the United States. But Lee, whose company works with utilities, said the Iranians have shown skill at being “as disruptive as possible, deleting systems and trying to deny control to folks and access,” leading to temporary shutdowns of non-safety-related computer systems.
Lee said industry and federal security leaders were urging power companies on Friday to practice heightened vigilance about potential cyber vulnerabilities, including remote-access tools that “could already be compromised.”
Allies ‘could be fair game’
The U.S., in turn, has shown its own increased willingness to use its cyber weapons against Iran — in what has been an often-subtle online conflict between the two sides. But that might offer little solace to U.S. allies caught in the crossfire.
In June, U.S. Cyber Command launched digital attacks against an Iranian spy group that American officials believe aided assaults on commercial tankers. The attacks targeted Islamic Revolutionary Guard Corps computer systems used to control rocket and missile launches, and successfully disabled those systems. They also at least temporarily wiped out a database used by the paramilitary arm to plot attacks against oil tankers, The New York Times reported in August.
A spokesperson for the Cyber Command, which is co-located with the National Security Agency at Fort Meade, Md., declined to comment on whether the organization had received a heads-up before the strike on Soleimani, or if it had witnessed a surge of activity by Iranian actors since. However, Cyber Command is likely to have gotten some advance notice of the drone strike, given its mission of defending the U.S. against foreign cyberattacks.
“The Iranians have a deep and complex cyber capability, to be sure”— US Secretary of State Mike Pompeo
Not only that, the command likely had a team of digital warriors ready to “hunt deep, to be disruptive, if any reaction was immediate,” the former U.S. intelligence official said.
Lee noted that while the attacks blamed on Iran have had a “very aggressive nature,” a safer route for Tehran’s retaliation now would to after U.S. allies — “to inflict pain, but also send a signal and message” — rather than attack the U.S. homeland.
The former intelligence official agreed, saying the Saudis especially have reason for nervousness.
“I would be very surprised if there’s a direct U.S. territory attack in cyberspace by Iran,” said the official, speaking on condition of anonymity to speak freely. But allies around the world are “all fair game.”
Secretary of State Mike Pompeo acknowledged the dangers of an Iranian response but said the administration has factored that into its decision-marking.
“The Iranians have a deep and complex cyber capability, to be sure,” Pompeo said Friday on Fox News. “Know that we’ve certainly considered that risk.”
Gavin Bade contributed to this report.