A week on from the U.S. killing of Iran’s Qassem Suleimani on January 3, media warnings around the cyber threat now facing the U.S. and its allies show no signs of diminishing. On January 8, the New York Times warned that even as “Iran’s military response maybe ‘concluded,’ [the] cyberwarfare threat grows,” and, a day later, the Wall Street Journal that the “threat of cyberattack by Iran [is] still critical.”
In the week since Suleimani, there have been around 35 organisations attacked by cyber offensives “specifically traced” to Iran’s state-sponsored hacking groups. Around 17% of those targets were in the U.S., a further 7% were in Israel. As ever with Iran, more of its focus is on strategic regional targets. That’s according to cyber threat researchers at Check Point, which has stepped up its monitoring. The team says this is not a material change over what was happening before Suleimani. “No significant response has yet been seen by us,” the company told me.
Beyond the noisy nuisance attacks—website defacements and denials of service, there are two genuine concerns. First, that a state-sponsored attack might be mounted against critical infrastructure targets—energy, transportation, finance. And, second, that a raft of commercial organisations in the U.S. and elsewhere will see concerted attacks on data and systems, to steal or destroy. But, one week on, it seems eerily quiet. Is this the calm before the storm or has the danger passed, with the same downgraded response as in the physical realm as Iran holds fire for fear of reprisals?
Iran has invested heavily in recent years to become a credible cyber player. But the country has nothing anywhere close to U.S. capabilities. And that’s a major issue for the planners in Tehran, in the same way that they will view the implications of a more dangerous missile strike than we saw on January 8. A disproportionate strike risks a devastating response. And Iran knows full well that the U.S. can take uses its offensive cyber weapons to take out large parts of its infrastructure if suitable provoked.
Despite this, “the threat of a nation-state cyber-attack on high profile corporations, government arms, and SCADA systems is very real,” maintains Brian Hussey, cyber threat detection lead at Trustwave SpiderLabs. But Hussey also tells me that “it is not clear how capable Iran is to conduct these attacks now,” even though, in his view, “it is possible that Iran already has SCADA attack capabilities in place, hidden deep within U.S. SCADA environments, waiting for the right time to attack.”
My colleague Kate O’Flaherty has pulled together a detailed overview of the history of Iran’s cyber capability build-up and the likely nature of its attacks, “the cyber warfare threat from Iran shouldn’t be dismissed,” she writes. “The country’s state sponsored hackers are capable of launching significant attacks on critical infrastructure–and they may target specific individuals and networks.”
In the meantime, what has happened is that the cyber noise levels have gone up. That has nothing to do with Iran the state and everything to do with Iran the influencer. “While there is relatively no change in Iranian APT groups attack volume,” Check Point’s cyber intel lead Lotem Finkelstein tells me, “we do see more independent attacks that are being carried out by private hackers, not associated with a known or official Iranian entity. These attacks usually involve a corruption of public websites and their goal is to generate panic more than any real damage.”
Philip Ingram, formerly a senior officer within U.K. military intelligence, has become a frequent media commentator on the threat he sees from Iran. “I think in the medium to longer term,” he tells, me, “we will still likely see a steady increase in Iranian or Iranian-sponsored activity—all, of course, at a time and place of their choosing. On the cyber side, over the last two years, hardly a month has passed without a cyber incident with an Iranian fingerprint. I see no reason for this to stop and every reason, especially with the U.S. elections, for this to ramp up and increase.”
A day after Suleimani, hackers claiming links with Iran targeted the website of the U.S. Federal Depository Library Program, defacing its home page with threats of vengeance alongside imagery of President Trump, Ayatollah Khamenei and the Iranian flag. Hussey describes these attackers as “hacktivists and patriotic types—while these types of attacks are frustrating to the victim, they do not carry the same threat level that nation-state attackers would likely focus on carrying out.”
“The purpose of these attacks is just to create an echo,” Finkelstein says. “Geopolitical events ignite private groups—but it fades after a few days. Such waves are seen after every tension in the Middle East and North Africa. Now, the main target is the U.S.”
More seriously, Iran is continually probing for weaknesses in certain high-profile U.S. systems as well as those of strategic regional targets—read oil and gas entities in Saudi, UAE and Bahrain—as well as sponsoring a mainstream malware industry that orients around denial of services attacks, ransomware, credential theft, but which is steered towards under-protected industry and public sector targets. This is not hardened military and intel targets, core command and control, military systems.
To deploy a significant attack,” Finkelstein says, “one needs to invest the time and effort to design and craft it perfectly. If Iran ever strikes through the cyber medium, we expect it be at the time and place they feel ready. This means that we all need to make the necessary preparations today.”
On December 29, a week ahead of the Suleimani killing, an Iranian state-sponsored hacking group reportedly attacked Bahrain’s national oil company—for Tehran, this is a strategic regional target. In November, one such Iranian group, APT33, was exposed for deploying a long-running campaign against such targets. The same group was behind the Shamoon attack on Saudi’s state-oil company back in 2012.
Hussey warns that attacks on strategic commercial targets will continue and will the same kind of “wiper programs” for which Iran is becoming infamous, “motivated,” he says, “by destruction. The [Shamoon] Saudi Aramco attack was the most infamous use of wiper programs bricking over 30,000 devices causing massive damage.”
Post-Suleimani, the U.S. government has warned that “Iranian cyber threat actors have continuously improved their offensive cyber capabilities.” CISA, the cyber agency within DHS has highlighted noisy attacks—“website defacement, distributed denial of service, and theft of personally identifiable information (PII),” but also “destructive wiper malware and, potentially, cyber-enabled kinetic attacks.”
Information security remains the order of the day. Right now, U.S. public and private entities do need to be mindful of an attack, even if that’s just part of the fragmented echo chamber that has been created by the rhetoric emanating from Tehran. Network resilience, data backups, user training. “I think people should be vigilant,” Ingram says, “if there are any links to U.S. government or its supply chain or research, then they are a legitimate target.”
For Check Point and Finkelstein, “Saudi Arabia and U.S. government entities and critical infrastructure remain the main targets for genuine Iranian cyber operations.” He also echoes Ingram’s warnings where commercial entities are indirectly engaged in government activity. “To allow these kind of attacks, groups may also compromise third-parties and government contractors and work through their networks to reach the main targets. We have seen this tactic few times over the past years.”
All of which, Ingram says, “is [Iran’s] background level of activity and we are likely to see an increase in areas they feel can influence events in different countries from a disruptive perspective.” He suggests attacks in the lead up to the U.S. election, and “in areas where U.S. forces are stationed across the Gulf and the possibility of attacks on shipping to disrupt safe passage and possibly have ships to stray into Iranian waters.”
So, the bottom-line—we are where we expected to be in the immediate aftermath of the Suleimani killing. A raft of low-level attacks from a fragmented hacking world sympathetic to Iran or just looking for an excuse to cause trouble, with very limited state activity beyond what was taking place. But, because Iran is so active, warnings for companies and government entities to step up their defences should be heeded.
Critically, of course, none of this will happen in isolation. Iran is on the back foot right now. A retaliatory missile strike on the U.S. that was benign was likely deliberate, albeit painted in some quarters as incompetent. More importantly, “the accidental shoot down [of Ukrainian Flight 752],” Ingram says, “has caused Iran to step back from the brink of an immediate spectacular and reassess their whole approach to revenge. Consequence management is part of their psyche and this will have rocked them a bit—it certainly seems to have quietened the rhetoric in the short term.”
That covers the short-term, but this will likely run and run. As Check Point warns, “we don’t see Iran’s known APT groups changing tactics or increasing volumes, but that doesn’t mean it’s not work-in-progress.”