Although it stressed there is no evidence of a specific
credible threat to the U.S. after the killing Iranian General Qasem Soleimani,
the Department of Homeland Security Saturday issued a National Terrorism
Advisory System Bulletin
warning of retaliation, including cyberattacks.
Previous homeland-based plots by Iran and its partners “have
included, among other things, scouting and planning against infrastructure
targets and cyber enabled attacks against a range of U.S.- based targets,” the
“Iran maintains a robust cyber program and can execute cyberattacks against the United States,” DHS warned, noting the country “is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
John Hultquist, director of intelligence analysis at FireEye, expects “an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” as well as “disruptive and destructive cyberattacks against the private sphere.”
Before the Joint Comprehensive Plan of
Action (JCPOA), or Iran nuclear deal, was inked in July 2015, “Iran carried out
such attacks against the U.S. financial sector as well as other businesses and
probed other critical infrastructure,” Hulquist noted. “Since the agreement and
despite the erosion of relations between Iran and the U.S., Iran has restrained
similar activity to the Middle East. In light of these developments resolve to
target the U.S. private sector could supplant previous restraint.”
In the past, “Iran has leveraged wiper malware in
destructive attacks on several occasions in recent years,” he said.
Though Iran’s cyberactivities didn’t “affect
the most sensitive industrial control systems, they did result in serious
disruptions to operations,” said Hulquist, who expressed concern “that attempts
by Iranian actors to gain access to industrial control system software
providers could be leveraged to gain widespread access to critical
He noted that Russia and North Korea
had in the past subverted the supply chain to deploy destructive malware.
Iran also has used disinformation tactics and methods, refined over the past few years, to push its geopolitical objectives. Past “tactics have included the creation of large networks of inauthentic ‘news’ sites designed to amplify pro-Iran propaganda globally and discredit rivals, including the U.S.; the impersonation of influential individuals on social media including political candidates running for office in the U.S.; the creation of fabricated journalist personas designed to solicit interviews with political experts espousing views advantageous to Iranian interests; and the creation of networks of inauthentic social media accounts masquerading as real, politically-inclined individuals, including those based in the U.S., designed to propagate commentary critical of Iran’s political rivals,” said Lee Foster, senior manager, information operations analysis at FireEye Intelligence.
In fact, the disinformation Iranian disinformation
efforts began after the airstrike that killed Soleimani. “The U.S. should
expect that Iranian influence efforts surrounding the U.S. will increase over
the coming days or weeks as political developments evolve,” said Foster.
Some of Iran’s tactics mirror those of Russia,
though “Iran’s efforts, in general, have been more geographically widespread
than Russia’s, being directed at audiences in most parts of the globe,” he said.
“They have heavily pushed traditional state propaganda and criticized
geopolitical rivals, however, it is often overlooked that, in a manner similar
to Russia, Iran has also aggressively sought to use these tactics to directly
influence the domestic politics of individual countries, including the U.S.,
and to take advantage of and amplify existing divisions between communities for
its own ends.”