Iran is widely expected to ramp up cyberattacks against the United States in response to the US killing of a top Iranian leader this month even as fears have receded about a military confrontation between the two countries.
The simmering tensions since the US drone attack that killed Qasem Soleimani, who was by some measures the second most influential person in Iran, make it likely that Iran will seek retaliation.
While Iran appeared to be "standing down" from a military response, according to US President Donald Trump, the cyber threat remains real, said analysts.
"Cyber is the easiest way Iran can have a direct effect on the US homeland," said Jon Bateman, a former Pentagon intelligence official who is a cyber policy fellow at the Carnegie Endowment for International Peace.
"I don't think we should believe everything is over."
Bateman said Iran has pulled back some of its cyber efforts against the United States in recent years but "has a lot of tools in its toolkit" which could be used against America or US allies.
These could include attacks on infrastructure such as electric or water utilities, ransomware which can be used to destroy or delete data from a company or government entity, or disinformation on social media aimed at sowing discord ahead of the US election, Bateman said.
Analysts say cyberattacks offer Iran a way to act against the US without directly challenging the American military.
James Lewis of the Center for Strategic and International Studies said Iran appears to have "picked up the pace of reconnaissance" to prepare for a cyber intrusion.
"They may want to do something dramatic and symbolic," he said.
"They are relatively cautious, they plan ahead. They have been developing cyber attack capabilities for at least five years, so it's now a political question."
- 'More pronounced' threat now -
John Dickson, a former air force intelligence officer and now an executive with the Denim Group consultancy, said the security community should not let its guard down because some time has elapsed since the drone attack.
"I think the threat is more pronounced now," Dickson said.
"They've had time to prepare and dust off their plans, that is more in line with how the Iranians operate."
Dickson said ransomware is a likely option because "as they get squeezed economically by sanctions, ransomware is a way to get access to cash."
The Department of Homeland Security issued a bulletin last week warning of the potential cyber threat, citing "Iran's historic use of cyber offensive activities to retaliate against perceived harm."
"Iranian cyber threat actors have continuously improved their offensive cyber capabilities," the DHS bulletin said.
"They continue to engage in more 'conventional' activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information, but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and potential, cyber-enabled kinetic attacks."
One potential attack vector for Iran would be social media, and both Facebook and Twitter have already acted against what the social networks called state-supported disinformation efforts by Tehran.
"Iran has developed a sophisticated apparatus to conduct information operations as an extension of its foreign policy," said a report by the Atlantic Council's Digital Forensic Research Lab.
The researchers said that in response to Soleimani's death, the hashtag #HardRevenge started to trend in early January.
"This could preface a set of more intensive information operations from Iran," the report said.
- Digital vs military -
Bateman noted that digital tools are now considered part of the military arsenal, and that both Iran and the US could mix cyber and conventional or "kinetic" methods.
Iran knows the US may respond either with cyber or conventional methods, according to Bateman, and are cognizant of the Stuxnet malware which is believed to have been a US operation to damage Iran's nuclear capabilities.
"I wouldn't assume that a US response to an Iranian cyberattack would be a reciprocal cyberattack," he said.
"It could be sanctions or criminal indictments or military action."
Still, he said Iran appears motivated to do something to show its discontent over the Soleimani attack.
"The Soleimani killing was so much more provocative than anything the US has done in some time," he said.
"It was a blatant insult and so much more personal for the Iranians."
Iran is widely expected to ramp up cyberattacks against the United States in response to the US killing of a top Iranian leader this month even as fears have receded about a military confrontation between the two countries.
The simmering tensions since the US drone attack that killed Qasem Soleimani, who was by some measures the second most influential person in Iran, make it likely that Iran will seek retaliation.
While Iran appeared to be “standing down” from a military response, according to US President Donald Trump, the cyber threat remains real, said analysts.
“Cyber is the easiest way Iran can have a direct effect on the US homeland,” said Jon Bateman, a former Pentagon intelligence official who is a cyber policy fellow at the Carnegie Endowment for International Peace.
“I don’t think we should believe everything is over.”
Bateman said Iran has pulled back some of its cyber efforts against the United States in recent years but “has a lot of tools in its toolkit” which could be used against America or US allies.
These could include attacks on infrastructure such as electric or water utilities, ransomware which can be used to destroy or delete data from a company or government entity, or disinformation on social media aimed at sowing discord ahead of the US election, Bateman said.
Analysts say cyberattacks offer Iran a way to act against the US without directly challenging the American military.
James Lewis of the Center for Strategic and International Studies said Iran appears to have “picked up the pace of reconnaissance” to prepare for a cyber intrusion.
“They may want to do something dramatic and symbolic,” he said.
“They are relatively cautious, they plan ahead. They have been developing cyber attack capabilities for at least five years, so it’s now a political question.”
– ‘More pronounced’ threat now –
John Dickson, a former air force intelligence officer and now an executive with the Denim Group consultancy, said the security community should not let its guard down because some time has elapsed since the drone attack.
“I think the threat is more pronounced now,” Dickson said.
“They’ve had time to prepare and dust off their plans, that is more in line with how the Iranians operate.”
Dickson said ransomware is a likely option because “as they get squeezed economically by sanctions, ransomware is a way to get access to cash.”
The Department of Homeland Security issued a bulletin last week warning of the potential cyber threat, citing “Iran’s historic use of cyber offensive activities to retaliate against perceived harm.”
“Iranian cyber threat actors have continuously improved their offensive cyber capabilities,” the DHS bulletin said.
“They continue to engage in more ‘conventional’ activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information, but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and potential, cyber-enabled kinetic attacks.”
One potential attack vector for Iran would be social media, and both Facebook and Twitter have already acted against what the social networks called state-supported disinformation efforts by Tehran.
“Iran has developed a sophisticated apparatus to conduct information operations as an extension of its foreign policy,” said a report by the Atlantic Council’s Digital Forensic Research Lab.
The researchers said that in response to Soleimani’s death, the hashtag #HardRevenge started to trend in early January.
“This could preface a set of more intensive information operations from Iran,” the report said.
– Digital vs military –
Bateman noted that digital tools are now considered part of the military arsenal, and that both Iran and the US could mix cyber and conventional or “kinetic” methods.
Iran knows the US may respond either with cyber or conventional methods, according to Bateman, and are cognizant of the Stuxnet malware which is believed to have been a US operation to damage Iran’s nuclear capabilities.
“I wouldn’t assume that a US response to an Iranian cyberattack would be a reciprocal cyberattack,” he said.
“It could be sanctions or criminal indictments or military action.”
Still, he said Iran appears motivated to do something to show its discontent over the Soleimani attack.
“The Soleimani killing was so much more provocative than anything the US has done in some time,” he said.
“It was a blatant insult and so much more personal for the Iranians.”
