U.S. government officials are watching and waiting, with many believing it is only a matter of time before Iran lashes out in cyberspace for the U.S. drone strike that killed Quds Force commander Qassem Soleimani last week.
According to the latest advisory from the Department of Homeland Security, there are still “no specific, credible threats” to the United States. But officials say Iran’s public assurances that it is done retaliating mean little.
“Iran has been one of the most malicious actors out there,” a senior State Department official said Thursday. “We’re very concerned about Iran’s capabilities and activities.”
U.S. government officials have been hesitant to comment in any detail on what Iranian cyber actors have been up to in recent days, though they note Iran’s capabilities are on par with Russia, China and North Korea when it comes to using cyber to target industrial control systems or physical infrastructure.
“DHS [Department of Homeland Security] is operating under an enhanced posture to improve coordination and situational awareness should any specific threats emerge,” a department spokesperson told VOA.
The spokesperson added DHS is coordinating with U.S. intelligence agencies, key private sector companies and organizations, and is ready to “implement enhanced security measures, as needed.”
Bracing for a ‘significant’ attack
Intelligence officials say much of Iran’s cyber activity is driven by the Islamic Revolutionary Guard Corps (IRGC), sometimes using front companies or sometimes carrying out cyberattacks themselves.
Past Iranian cyberattacks have ranged from distributed denial of service attacks (DDoS), which block access to websites by overwhelming the server hosting the site with internet traffic, to efforts to deface websites or attempts to steal personal data.
An alert this week from the Cybersecurity and Infrastructure Security Agency (CISA) also warned Iran has “demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.”
Some former officials fear whatever is coming, whenever it comes, will be significant.
“It’ll be a notch up,” said James Miller, a former U.S. Defense Department adviser, now with the Johns Hopkins University Applied Physics Laboratory. “We should expect pretty significant actions.”
While any major attacks, if any, have yet to be detected, private sector experts and former government officials worry about what they have been seeing from Iran.
“They are very aggressive,” said John Hultquist, director of Intelligence Analysis at the cyber security firm FireEye, speaking at a cyber symposium this week.
“What they’ve lacked in technical prowess they’ve often made up in really, really impressive, creative social engineering,” he said. “They’ve sort of developed a lot of interesting schemes.”
Ramping up disinformation campaigns
And once the U.S. airstrike took out Soleimani, the Iranian disinformation machinery went into action.
“As that news came out, we saw them ramp their program and start pushing that stuff out,” Hultquist said.
The disinformation from Iran’s proxy forces in the Middle East further increased Tuesday during Iran’s retaliatory missile strike on Iraqi bases hosting U.S. and coalition forces — “in terms of reports coming in about certain hits that happened and numbers of casualties from the Iranian response,” said Phillip Smyth, an analyst with the Washington Institute for Near East Policy who has been tracking social media activity by the Iranian-backed militias.
But Iran-linked cyber actors have also eyed more ambitious campaigns.
In October 2018, for example, Facebook and Instagram removed 82 accounts, pages and groups from their platforms.
The posts, Facebook said, focused on “politically charged topics such as race relations, opposition to the [U.S.] president and immigration.”
Analysts said while those Iranian disinformation efforts paled in comparison to the campaign run by Russia in the run-up to the 2016 U.S. presidential elections, the effort showed signs of increasing sophistication, which has continued to this day.
Some former U.S. officials and analysts also suspect Iran may be targeting news outlets.
The Kuwaiti government Wednesday said the Kuwait News Agency’s Twitter account was hacked after it posted false reports that the U.S. was withdrawing all troops based in the country.
Separately, hackers claiming to be working on behalf of Iran defaced the website of the U.S. Federal Depository Library Program.
Despite suspicions and concerns, though, officials have yet to definitely attribute either attack to Iran. And there is a risk that such attacks are actually the work of other cyber actors.
For example, former officials said there have been instances in the past where Russian cyber operatives hijacked Iranian infrastructure or malware to launch intrusions of their own.
Iran, though, has other tools it can use to strike the U.S. and the West.
“Iranian cyber actors are targeting U.S. government officials, government organizations and companies to gain intelligence and position themselves for future cyber operations,” U.S. intelligence agencies warned in their most recent threat assessment.
The U.S.-based cybersecurity firms FireEye and Symantec have said their research shows Iranian-linked cyber actors have paid particular attention to telecommunications and travel companies, mining them for personal data that could prove useful in such cyber campaigns.
Not everyone, however, is convinced Iran is positioned to launch a major cyber offensive.
“A lot of the doom and gloom headlines that are out there right now, I think, are overblowing or overhyping the immediate cyberthreat coming from Iran,” Hoover Institution Fellow Jacquelyn Schneider said.
“The reality is that Iranians have been conducting these cyberattacks over the last year, if not longer,” she said, adding that while there may well be an uptick in attacks, “they’ve been trying this entire time.”
Still, a former U.S. National Security Agency threat manager cautions even a small cyberattack can inadvertently do widespread damage.
“There’s always the potential that an attack or an intrusion, which is physically or strategically designed to only impact a certain geography or certain network, creeps to other parts of the network,” said Priscilla Moriuchi, now head of nation-state research at the cybersecurity firm Recorded Future.