Qassem Soleimani, commander of Iran's Quds Force, has been killed in an airstrike at Baghdad's international airport. Photo / AP
Iran's cyber troops long have been among the world's most capable and aggressive - disrupting banking, hacking oil companies, even trying to take control of a dam from afar - while typically stopping short of the most crippling possible actions, say experts on the country's capabilities.
But Friday's American airstrike that killed one of Iran's top generals, Quds Force Commander Maj. Gen. Qasem Soleimani, now threatens to unleash a fully unshackled Iranian response, analysts and former US officials warned. They said a variety of potential cyber-attacks, possibly in conjunction with more traditional forms of lethal action, would be well within the digital arsenal of a nation that has vowed "severe revenge."
"At this point, a cyber-attack should be expected," said Jon Bateman, a former Defense Intelligence Agency analyst on Iran's cyber capabilities and now a cybersecurity fellow for the Carnegie Endowment for International Peace.
The range of possible tactics is long: The Iranians can overwhelm computerized systems to snarl business operations, as they did to US banks from 2011 to 2013. They can also use malicious software to wipe out data, as they reportedly did in 2014 to the Las Vegas Sands casino, whose staunchly pro-Israel owner Sheldon Adelson had suggested the United States drop nuclear bombs on Iran.
Arch-rival Saudi Arabia's oil giant Aramco suffered a similar fate in 2012, when a cyber-attack reportedly emanating from Iran wiped out the memories of tens of thousands of computers, crimping oil production. The company's frantic efforts to recover reportedly drove up the price of hard drives worldwide.
Hackers with ties to Tehran can potentially hijack crucial machinery over the Internet, a tactic they experimented with at a New York state dam, whose control systems they penetrated in 2013. Or they could target sensitive political or diplomatic targets while mounting sophisticated information operations over Facebook, Twitter and other social media platforms. Last October, Microsoft accused a group tied to the country's government of attempting to identify, attack and breach personal email accounts associated with a US presidential campaign, government officials and journalists.
And while the most appealing targets are likely to be in the US homeland given Iran's history of staging visible, politically potent attacks linked thematically to their grievances, it may be easier to strike US military or diplomatic targets abroad, or similar targets in allied nations.
Cyber-security expert James Lewis recently compiled a list of suspected Iranian hacks, cyber-attacks and online spying incidents and was surprised to find 14 reported last year alone. The list included hacks aimed at the Trump campaign, telecommunications systems in Iraq, Pakistan, and Tajikistan, and intrusions into employee accounts of companies making and operating industrial control systems. Iranians also reportedly used LinkedIn to target users affiliated with Middle Eastern governments and workers within the financial and energy industries.
"They have enough capability that they don't need to ask, 'Can we do this?' " said Lewis, a senior vice president for the Center for Strategic & International Studies. "It's, 'Do you want to do this?'"
Experts tracking online disinformation said Friday they had already seen suspicious, early signs of accounts pivoting to push messages sympathetic to the Iranian government. Some potentially suspect accounts on Instagram, for example, started tagging the White House in images featuring flag-draped coffins, according to the Atlantic Council's Digital Forensic Research Lab. Meanwhile, apparently bogus claims of an airstrike at the Ain Al-Asad airbase, which hosts US forces in western Iraq, were spreading in hardline Iranian media outlets, as well as on services including Twitter and Telegram, according to researchers.
"This is a new era," said Ali Soufan, a former FBI agent who chaired the countering foreign influence subcommittee of the Department of Homeland Security's advisory council. "We always had controlled escalation policies with Iranians. Now these rules don't exist, and the Iranians are going to usher in an era of unrestrained responses - an era that's going to be filled with even more chaos."
Those responses, Soufan added, are likely to include cyber activities, as well as disinformation, which already saturates political and military conflict in the Middle East. "They have so many tools to make our existence in the Middle East and our interests and the interest of our allies really under threat."
Almost a year to the day before President Donald Trump ordered the attack on Soleimani, federal officials issued a sober assessment of Iran's cyber prowess: A January 2019 intelligence report highlighted the country as an "espionage and attack threat," with the ability to target US officials, steal intelligence and disrupt "a large company's corporate network for days to weeks."
Iran's cyber capabilities rank below those of Russia and China. But they have advanced significantly since 2010, the time of the discovery that a joint Israeli-US operation had installed malicious software known as Stuxnet that destroyed centrifuges crucial to Iran's nuclear ambitions.
Since then, US officials blame Iran for cyber attacks on "dozens of Saudi governmental and private-sector networks in late 2016 and early 2017," and warn that targets in the United States similarly could be at risk.
An Iran bent on a visible, painful form of revenge could attempt several retaliatory actions in cyber-space, possibly as part of a broader campaign to drive American forces out of Iraq and enlist proxies and allies in wounding US interests here and abroad.
"The focus will be critical infrastructure - oil and gas in the Middle East, maybe elsewhere," said John Hultquist, director of intelligence analysis for the cybersecurity company FireEye, adding that past operations have targeted the American financial sector. "Anywhere where they can cause serious, almost psychological effects, noticeable disruption. The purpose is to prove to the public that they can reach out and touch Americans."
At the Department of Homeland Security, a top official said Friday that businesses and others should "brush up" on Iranian cyber tactics. Christopher Krebs, who leads DHS's cybersecurity work, pointed to the agency's past warnings that Iran is "looking to do much more than just steal data and money." DHS did not respond to further request for comment. Neither did the White House.
"We know that Iranian cyber operations are currently scoping and preparing to attack our networks - in all sectors of society - to see where they can hit us," said Virginia Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee.
In recent years, malicious actors tied to Iran, or to the country's leaders, also have intensified their operations on Facebook, Twitter and other social media sites. Through fake accounts - some of which masqueraded as journalists and even US political figures - they pushed messages sympathetic to Tehran's interests, at times opposing Trump.
"Any time you get geopolitical tensions, you get an uptick in disinformation operations," said Ben Nimmo, director of investigations at Graphika, a social media analysis firm.
Over the past two years, Facebook has announced six major Iran-related takedowns - involving more than 1,800 accounts, pages, and groups on its site and on Instagram, reaching 5 million users globally, according to an analysis of the company's public statements. Twitter, meanwhile, has taken down thousands of accounts linked to Iran that had violated its rules.
Iran's efforts differ from those of Russia, which sought to stoke social and political unrest in the United States during the 2016 election. Russia "intends to engage in, and infiltrate, communities online," and is politically agnostic, targeting users and causes across the spectrum, said Graham Brookie, the leader of the Atlantic Council's DFRLab. Iran, by contrast, "presents a very specific worldview and has tended to try to persuade others to their side," he said, particularly with anti-Israel, anti-US and anti-Saudi messages.
Brookie said DFRLab already has seen "social media accounts that were previously used for economic purposes, like selling sneakers, immediately repurposed for coordinated messaging that aligns directly with the Iranian government.
"This is another large and effective proxy front we should expect escalation on," he added.
On messaging apps, duelling narratives were already taking shape, according to Mahsa Alimardani, a researcher at the Oxford Internet Institute who was monitoring about 100,000 Persian-language channels on Telegram. Using regime-supporting channels, such as "Young soldiers of the soft war," users were circulating images of Soleimani's body and portraying the US as an "evil force that just committed an act of terrorism."
The government has a handful of options in addressing the elevated threat, experts said. These include aiming to track and intercept cyber operations as they're developing, akin to efforts to predict and blunt manoeuvring on the battlefield. Another imperative, they said, is sharing information with private businesses, which could end up bearing the brunt of the risk.
The experts said it was difficult to predict what an Iranian offensive in cyberspace would look like, given how quickly capabilities are evolving.
But they pointed to certain precedents, including the 2017 cyberattacks targeting government ministries, banks and companies in Ukraine. The operation, blamed on Russia by Western officials, had global ramifications and was described by the White House as "the most destructive and costly cyber-attack in history."
While the US has more extensive defences, those remain untested against aggressive Iranian tactics.
"Iran has used their cyber-capabilities in a somewhat restrained way," said Robert Knake, a former cybersecurity director at the National Security Council, now at the Council on Foreign Relations. "Whether that holds after this [US] attack, is difficult to say."