The US Department of Homeland Security (DHS) has issued a rare security alert warning of an increased likelihood of cyber attacks originating from Iran.
On January 3, 2020, President Trump ordered a drone strike that killed Iranian General Qasem Soleimani. The president described Soleimani as a “terrorist leader” and cited past actions and alleged ongoing threats to US interests as justification for the strike.
Domestically in Iran, many viewed Soleimani as a key figure in the fight against ISIS, and thousands gathered in Tehran to mourn his death. Internationally, he was often accused of coordinating operations and destabilizing activities through Iran-linked proxy groups such as Hezbollah and by supporting the Assad regime in Syria.
Iran has vowed retaliation for Soleimani’s killing, but it is unlikely to declare a conventional war on the United States. A direct military attack on US personnel or assets would almost certainly provoke open conflict, so Tehran is more likely to resort to asymmetric measures, including cyber operations, to respond while avoiding full-scale military escalation.
The DHS raised its alert through the National Terrorism Advisory System (NTAS), a mechanism it has used sparingly since its 2011 introduction. The advisory, issued a day after the drone strike, warned: “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
Iran-linked cyber attacks
Iran has been tied to numerous cyber incidents over recent years. These include intrusions and theft targeting US companies and universities, attacks on industrial control systems, and operations against banks. Actors linked to Iran have also been accused of attempts to influence political campaigns and of targeting current and former US officials and journalists.
Domestically, Iran has demonstrated the capacity to control and restrict internet access. During nationwide protests in November 2019, authorities effectively cut internet access for large parts of the population. Government documents and plans indicate a longer-term ambition to build a “national internet,” restricting access to foreign websites and replacing popular international services with domestic alternatives to limit external influence and information flows.
Cybersecurity experts warn that Iran’s capabilities pose a real threat to vulnerable targets in the United States. James Lewis, senior vice president at the Center for Strategic & International Studies, told Bloomberg that Iran is “pretty capable” and that US defenses are uneven; he noted Iran could successfully strike poorly defended targets and that Tehran may seek actions with dramatic impact.
Analysts expected a reduced likelihood of immediate retaliation during Iran’s official mourning period for Soleimani, which could last several days. Some experts recommended that the US take proactive defensive measures during that time to reduce the risk of a successful Iranian cyber operation.
Joe Slowik, an industrial control systems (ICS) malware researcher at Dragos, suggested in a blog post that US-aligned actors could use a period of Iranian uncertainty to disrupt or degrade command-and-control infrastructure that would be needed to mount retaliatory cyber strikes, thereby limiting Tehran’s ability to launch effective cyber attacks.
At the time of reporting, there were no confirmed, large-scale retaliatory cyber operations attributed to Iran. A number of low-level website defacements affected roughly twenty sites over a weekend, but these actions did not appear to be coordinated by official Iranian state actors.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend co-located industry expos—covering IoT, blockchain, AI and big data, cybersecurity and cloud, and 5G—to explore the future of enterprise technology at upcoming events in Silicon Valley, London, and Amsterdam.