By Joseph Marks
Mourners surround the coffins of Iranian General Qassem Soleimani and others killed in the U.S. airstrike during a funeral ceremony in Tehran, Iran, on Monday, Jan. 6, 2020. (Ali Mohammadi/Bloomberg)
The U.S. must brace for Iran to launch bold cyberattacks designed to cause major financial damage or threaten American lives as retaliation for the killing of one of its top generals, cybersecurity experts say.
Security experts tell The Cybersecurity 202 that Iran may be willing to cross dangerous boundaries in cyberspace: For instance, they warn, Iranian hackers could launch attacks that shut down electricity for some Americans, destroy important financial records or disrupt hospital or transportation systems in ways that threaten lives.
“We’re in a more escalated situation than we’ve been in the past, and there are some serious questions about where the red lines are,” John Hultquist, director of intelligence analysis for the cybersecurity company FireEye, told me. “They may not have a problem with people getting hurt at this point.”
Experts are also warning Iran could launch widespread attacks against U.S. companies that encrypt their information and hold it for ransom or target U.S. government contractors to punish them for working with the Trump White House. Or they might target U.S. allies in the Middle East or U.S. diplomatic targets abroad, as my colleagues Tony Romm, Isaac Stanley-Becker and Craig Timberg reported.
“We’re definitely in new territory,” Robert M. Lee, founder of the cybersecurity firm Dragos, which protects major industrial systems, and a former National Security Agency official, told me.
Iran has routinely tested the boundaries of what it could get away with in cyberspace, including pummeling U.S. banks after the Obama administration imposed new sanctions in 2012 and hacking control systems at a New York dam in 2013. It also allegedly wiped data from tens of thousands of computers at the Saudi state oil company Aramco in 2012 in one of the most destructive digital attacks ever launched.
But it's always stopped short of launching the most serious attacks on U.S. targets. Experts fear it may soon abandon this restraint since the killing of Quds Force Commander Maj. Gen. Qasem Soleimani — who the Trump administration charged was planning major attacks against U.S. targets.
Still, there are limits to Iran's capabilities. Lee says Iranian hackers aren’t sophisticated enough to launch an attack that could affect the whole nation; shutting off large portions of the electrical grid is not the true concern here. But they could disrupt electricity on a smaller scale, for instance, by targeting a U.S. city or portions of it. That could succeed by prompting widespread fear about a larger attack and, possibly, draw the U.S. into an even broader conflict by triggering an outsize response.
“It’s really hard to do these attacks, and you shouldn’t expect to see major blackouts across the U.S. as a whole,” Lee said. “My concern is that they’ll get a small win and we’ll overreact.”
Iranian hackers have gained access to U.S. industrial companies’ computer networks in the past, Lee told me, but there’s no public evidence they’ve launched destructive hacks once they’re in there.
Hultquist made a similar point on Twitter:
Another facet of the Iranian cyberthreat is the cyberattack (disruptive/destructive) capability posed by Iran. Will they cripple our society? I highly doubt it. Could they score some major blows against individual companies and maybe even the US sense of security? Absolutely. 5/x— John Hultquist (@JohnHultquist) January 5, 2020
Given recent developments, re-upping our statement from the summer.— Chris Krebs (@CISAKrebs) January 3, 2020
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
Sen. Gary Peters (Mich.), the top Democrat on the Homeland Security Committee, also urged DHS to ramp up preparations for an Iranian cyberattack and called on the White House to brief Congress on its plans.
I’ve called for the Administration to brief Congress on their plan to keep Americans safe and I spoke with @DHS_Wolf about efforts to protect against cyber-attacks and other potential strikes in the US.— Senator Gary Peters (@SenGaryPeters) January 4, 2020
Iran may want to delay any damaging cyberattacks until it’s clear how far the conflict will escalate, experts say. That’s especially likely because most highly damaging cyberattacks require months of advance work to surreptitiously break into a company’s computer networks — and attackers can only strike once before they’re discovered and kicked out.
“Iran will definitely use everything they have at their disposal eventually, but I don’t think a major cyberattack right this second makes sense,” Jake Williams, founder of the cybersecurity company Rendition Infosec and a former National Security Agency official told me. “Every piece of malware Iran uses now removes a bullet they can fire later to have a greater effect.”
There’s also a possibility, however, that Iran will be extra careful about crossing red lines with a cyberattack out of fear the Trump administration will retaliate much more aggressively than expected.
The Obama administration was wary of escalating hacking conflicts or of responding with military force, preferring to rely on indictments, sanctions and diplomatic tools. The Trump administration, however, has been much less predictable. Already on Sunday, Trump was warning that his administration might respond to Iranian attacks “in a disproportionate manner” — another possible violation of international law.
“All the lines are completely obliterated with this administration, and you don’t know how they’re going to react,” said Tony Cole, chief technology officer at Attivo Networks. “So [Iran] is going to have to tread carefully.”
PINGED, PATCHED, PWNEDwith Tonya Riley
Demonstrators protest the killing of Iranian military commander Qasem Soleimani. (Lefteris Pitarakis/AP)
Researchers have already spotted a surge in suspicious posts drumming up pro-Iran sentiment, as Tony, Isaac and Craig report. Some accounts on Instagram started tagging the White House in images featuring flag-draped coffins, for example. Bogus claims of an additional airstrike against an Iraqi air base were also spreading on Twitter and the messaging app Telegram.
In other cases, nonpolitical social media accounts were repurposed for coordinated anti-U.S. messaging after the attack, the Atlantic Council’s Digital Forensic Research Lab director Graham Brookie told my colleagues.
The activity echoes previous Iranian information operations. Facebook and Twitter have taken down thousands of pages and accounts engaging in inauthentic pro-Iran behavior over the past two years.
That followed similar crackdowns by the Navy and Army. The U.S. Marine Corps is also banning the app, the New York Times's Neil Vigdor reported.
Pentagon officials fear that troops using the Chinese-owned app could be unwittingly sharing sensitive information, such as their location, with the Chinese government, a spokesperson told my colleagues Tony Romm and Drew Harwell. Members of Congress have also raised concerns that the app could be compromising Americans’ personal data.
TikTok has repeatedly rebuffed cybersecurity concerns, saying that U.S. users’ data is not stored in China and would never be shared with Beijing.
North Korean hackers were using the sites to attack employees at think tanks, universities and organizations focused on nuclear proliferation, the company said. Most targets were based in the United States, Japan and South Korea. It is unclear how many people the hackers successfully compromised using the network of sites.
This is the fourth time Microsoft has used a U.S. court order to take over domains used by nation-state hackers. Previous efforts targeted hacking groups affiliated with China, Russia and Iran.
PUBLIC KEY— Cybersecurity news from the public sector:
PRIVATE KEY— Cybersecurity news from the private sector: