The US killing of Iran’s top general, Qassim Suleimani, could have consequences that imminently spill over into cyberspace, experts and officials said after the deadly missile strike in Baghdad.
One senior cybersecurity official at the Department of Homeland Security, Christopher Krebs, warned American companies and government agencies to “pay close attention” to critical systems and to Iranian tools, tactics, and procedures in the wake of the attack.
While President Trump, who ordered the strike on Major General Suleimani, is reportedly sending thousands more US troops to the Middle East, cybersecurity experts warned that further conflict could happen online.
“Given the gravity of the operation last evening, we are anticipating an elevated threat from Iranian cyberthreat actors,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. “We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere.”
The warnings echoed previous alerts over the past three years as tensions between Washington and Tehran have escalated.
The United States and Iran are two of the most advanced, active, and capable hacking powers in the world at a time when governments regularly use hacking to accomplish important goals and shape geopolitics. Tensions between the two countries and their allies have produced a lengthy history of extraordinary cyberattacks in addition to traditional kinetic warfare.
Ten years ago, a suspected American-Israeli cyberattack against Iranian nuclear facilities was discovered by researchers after the worm mistakenly spread around the world. Known as Stuxnet, the US attack remains one of the most advanced hacking operations ever conducted.
Before the 2015 nuclear deal was brokered between the US, Iran, Europe, Russia, and China, hackers from Iran regularly targeted American finance companies and critical infrastructure. Hultquist said that activity has been relatively limited since the deal—even though the US pulled out of the agreement in May 2018—but he believes Iran’s relative restraint could give way to new operations after Suleimani’s killing.
Tehran may have slowed down on direct attacks against the United States, but it has been exceptionally active in hacking throughout the Middle East for an entire decade. Saudi Arabia, Iran’s chief regional rival and one of America’s foremost allies, has been a repeated target.
Within the last year, Iran and the US have repeatedly targeted one another in hacking operations. Iranian government hackers tried to breach President Trump’s reelection campaign. US Cyber Command reportedly hamstrung Iran’s paramilitary force during a period of high tensions earlier this year.
The strike has already increased tensions. Iranian leader Ayatollah Ali Khamenei vowed “a forceful revenge” for the killing of Suleimani, who was widely seen as the second most powerful man in Iran.
“In every modern conflict, cyber will play a role,” says Sergio Caltagirone, a former technical lead at the NSA who now works at the industrial cybersecurity firm Dragos. “Whether that’s a hidden role or an overt role, cyber will have a place, especially in operations that are as important as these for both countries. What role it plays, how prominent it is, and whether anyone knows about it is a whole other question.”
Dragos sent an alert out today to its industrial customers with operations in the United States and Middle East, warning of increased risk for destructive cyberattacks. Saudi Arabia and Kuwait were identified as particularly likely targets, given their long history on the receiving end of Iranian cyberattacks. (Full disclosure: A family member works for Dragos but was not involved in this report.)
Dmitri Alperovitch, cofounder of the cybersecurity firm CrowdStrike, listed Iranian cyberattacks against American financial companies and critical infrastructure, along with attacks against Saudi oil, as potential retaliatory moves from Tehran.
“We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously,” Hultquist said. “In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.”
The increased threat of conflict between Iran and the United States could have drastic and potentially deadly consequences.
“My biggest concern is the humanitarian cost to it all,” says Caltagirone. “When countries pull cyber triggers to conduct cyber effects, a lot of the times it’s against civilian targets rather than military targets. Right now it looks like civilians and innocent people all around the world, including Iranians, Americans, and Saudis, will bear the brunt of impact of these attacks. That’s the saddest part of all this: states are in conflict, but civilians feel the consequences.”