After the U.S. military said it killed Qassem Soleimani, the chief of Iran’s Quds Force, in an airstrike early Friday in Baghdad, Iran’s supreme leader vowed to exact revenge on the United States.
Of prime concern will be Iran’s ability to carry out violent physical attacks on U.S. interests or its allies throughout the Middle East. But Iran could also leverage its considerable hacking capabilities to disrupt U.S. organizations. Already a series of pro-Soleimani propaganda posts have emerged on Twitter and Instagram, as CyberScoop first reported.
The U.S. attack, ordered by President Donald Trump, was carried out in response to Soleimani’s “actively developing plans to attack American diplomats and service members in Iraq and throughout the region,” the Pentagon said in a statement.
Iran has previously retaliated against the U.S. through distributed denial-of-service attacks on banks’ websites in 2012 and 2013, reportedly in response to U.S. sanctions. Since then, Iranian hackers have gotten more advanced — and shown a penchant for data-destroying hacks.
Shamoon and more
The country’s attackers allegedly used the infamous Shamoon malware to damage tens of thousands of computers at oil giant Saudi Aramco in 2012. Just last month, analysts at IBM revealed previously unknown malware they said Iranians had used in a recent data-wiping attack against industrial organizations in the Middle East.
John Hultquist, director of intelligence analysis at security firm FireEye, said the company is concerned that Iran-linked hackers now will be more likely to carrying out data-destroying attacks on its customers, which include a large swath of the companies on the Fortune 100.
FireEye “has launched a community protection event to organize coordination internally and with our customers and partners around this threat,” Hultquist said.
“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” he added.
Operatives linked with the Iranian government have in recent months shown greater interest in probing industrial control systems (ICS) software, the code that sends commands to equipment at facilities such as oil and gas plants. In October and November, Iran’s APT33 shifted its password-cracking attempts to include targeting of ICS vendors and suppliers, according to Microsoft.
Just hours after Soleimani’s killing, Chris Krebs, head of the Department of Homeland Security’s cybersecurity division, advised U.S. companies to be on the lookout for Iranian cyber-activity, particularly anything related to ICS.
“[P]ay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses!” Krebs tweeted.
Given recent developments, re-upping our statement from the summer.
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
— Chris Krebs (@CISAKrebs) January 3, 2020
“The concern with [any potential Iranian targeting] of ICS specifically would be existing communications in and out of those networks,” Robert M. Lee, chief executive of industrial cybersecurity company Dragos, told CyberScoop.
“Security professionals should look inside the ICS networks to proactively hunt for threats and pay close attention to integrator, maintenance, and remote connections,” Lee said, adding that his advice was to “not be overly alarmed, but to have a heightened sense of awareness.”
Tradeoffs for Tehran
There are pros and cons to Tehran using its cyber-capabilities to retaliate for Soleimani’s killing, experts told CyberScoop.
Dan Hoffman, former chief of the CIA’s Middle East department, said the ambiguity of cyberspace, where attackers can hide their footprints, is not something Tehran would likely be interested in at the moment.
“The problem is that in cyberspace you’re hiding your hand,” Hoffman told CyberScoop. “They’re going to be under some pressure to show there’s a Tehran, Iran, return address on what goes down whether it’s proxy militants or cyber.”
Hacking, of course, won’t be the only thing on the table for Iran’s response to Soleimani’s killing. But as Adrian Nish, head of threat intelligence at BAE Systems, pointed out, cyber-operations are an attractive, asymmetric option at Tehran’s disposal.
“They’ll know that such [cyber]attacks provide a way to hit the U.S. homeland, potentially causing disruption for businesses and individuals,” Nish said.
Chris Painter, the former top cyber diplomat during President Barack Obama’s presidency, agreed that hacking offered Iran some flexibility in how it might retaliate to the U.S. airstrike.
“Cyber has traditionally not been as escalatory for them,” Painter told CyberScoop. “When they did the financial attacks [in 2012-2013] … that was bad but it wasn’t overwhelming.”
Depending on the effect they wanted to achieve, it could take some time for Iranian hacking groups to set up the infrastructure needed to carry out effective cyberattacks, according to Sherrod DeGrippo, senior director on Proofpoint’s threat research and detection team.
“They will need to register and deploy their digital infrastructure, do reconnaissance on targets, send lures, and shift personnel,” DeGrippo told CyberScoop.
Secretary of State Mike Pompeo told Fox News on Friday morning that the Trump administration had considered the risk of Iran retaliating in cyberspace and that Tehran has “a deep and complex cyber capability.”