A billboard of Maj. Gen. Qassim Suleimani is displayed in Tehran. Photo / Arash Khamooshi, The New York Times
Cybersecurity experts are seeing malicious activity from pro-Iranian forces, and warning that Iran has the capacity to do real damage to American computer systems.
Iran's declaration Wednesday that a missile attack on Iraq had "concluded proportionate measures" against the United States in response to the killing of its most importantgeneral may amplify the Trump administration's attention on computer systems as the next battlefield in its showdown with the country.
Cybersecurity experts and government officials are already monitoring an uptick of malicious activity by pro-Iranian hackers and social media users that they believe are harbingers of more serious cyberattacks from Iran, including possible efforts aimed at destroying government databases.
"Iran has the capability and the tendency to launch destructive attacks," said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security's computer security arm. "You need to get in the head space that the next breach could be your last."
A battle cloaked in computer systems is more in keeping with Iran's history of attacking the United States and its allies by clandestine means or through proxies. And mischief-making has already begun. In recent days, hackers have defaced government websites and pursued divisive disinformation campaigns on social media. Members of Iran's Miqdad Cyber Base have used official state texting channels to threaten retaliatory cyber strikes on the United States and Israel following the targeted killing of Gen. Qassem Soleimani.
Cybersecurity firm CrowdStrike warned customers in an alert obtained by The Times that it observed hackers supporting Iran's Revolutionary Guard deface local city websites in Minneapolis and Tulsa, Oklahoma, with images honouring Soleimani. Over the weekend, hackers claiming to be associated with Iran replaced the homepage of the Federal Depository Library Program, a division of the Government Printing Office, with a doctored image of a bloodied President Donald Trump getting punched in the face.
An adviser to Iranian President Hassan Rouhani, in a series of tweets, posted a link to Trump's properties and said "our sole problem is Trump. In the event of war, it is he who will bear full responsibility."
The public should be prepared for worse, Krebs said in an interview. Iran has the ability to not just access private-sector and government computers in the United States but to "burn down the system," he said.
"This is a capable actor that has demonstrated prior capability in the region," Krebs said. "They're known to be pretty aggressive."
While most of the activity so far has been limited to anti-Trump threats on social media and government websites, cybersecurity experts said true retaliatory attacks could still be coming. A member of a chat group supportive of the Guard told members to "await a final decision" from Iran's leadership before launching attacks. The hackers of the federal library site included a message with their defacement that warned it was "only a small part of Iran's cyber ability."
Former and current government officials predicted that Iran's first method of retaliation would be a physical attack. Early Wednesday in Iraq, Iran fired more than a dozen missiles at two bases housing US troops. Mohammad Javad Zarif, Iran's foreign minister, said after the attack that Iran "concluded proportionate measures in self-defense."
Trump responded Wednesday by announcing new economic sanctions against Iran. Jamil Jaffer, executive director of the National Security Institute at George Mason University's law school, said the Iranians will not want their next move to provoke a large-scale retaliation from the United States. It could be more difficult for the United States to point to the culprit of a cyberattack.
"Conducting terrorists attacks and killing people is binary," said Jaffer. "On the other hand, cyberattacks can be ratcheted up and down dynamically. As a result, cyberattacks give the Iranians more room in the event they want to engage in a further response."
Iran's capabilities are much more advanced than they were in 2009, when a classified US intelligence assessment concluded that Iran had the motivation to inflict harm but lacked the skills and resources to do so.
Since then, Iranian hackers have used data-destroying malware to target 30,000 computers at Saudi Aramco — the world's largest oil company — destroying Aramco's data, replacing it with the image of a burning American flag, and upending the market for computer hard drives as a result. Iranian hackers also took US banks offline in 2013 by flooding them with traffic in a so-called denial-of-service attack and destroyed data on thousands of computers at the casino and resort company Las Vegas Sands Corp. after its chief executive, Republican megadonor Sheldon Adelson, suggested that the United States bomb Iran.
Krebs hosted a call last Friday with more than 1,700 members of the private sector and state and local governments, encouraging them to back up their data on storage sites not connected to the internet and alert security personnel to be on the lookout for signs of breaches in their computer systems. While hackers have conducted cyberattacks for ransom, Krebs warned that future attacks could be to simply cause mayhem.
Krebs' agency serves mainly to advise private companies and local governments of risks before attacks are launched. While the US government can assist in the event of a breach, private computer security firms and companies themselves are expected to be able to handle the initial response and rebuild their networks.
Iranian hackers backed off from such destructive cyberattacks in the lead-up to the signing of the Iran nuclear deal in 2015 and after it. But Iranian hacking units never ceased hacking; they moved to quieter espionage campaigns with increasing sophistication.
After Trump backed out of the Iran nuclear deal in 2018, private security experts and US officials braced for a renewed campaign of Iranian cyberwarfare. At the time, Gen. Keith Alexander, former director of the National Security Agency, told The New York Times, "With the nuclear deal ripped up, our nation and our allies should be prepared for what we've seen in the past."
Last year, the Department of Homeland Security was alarmed by Iran's successful hack of the internet's underlying computer coding, called the Domain Name System, in which Iranians stole thousands of credentials from telecommunications companies, government agencies and internet infrastructure companies in the United States, Europe and Middle East. The department's cybersecurity division issued a statement warning that Iran was looking to do more than "just steal money and data."
The division released a new advisory Monday night warning that "Iran and its proxies and sympathisers" have the ability to conduct disruptive cyberattacks, espionage and drone attacks. Customs and Border Protection, another arm of Homeland Security that employs agents at ports throughout the country, has instructed officers to enhance security.
Over the past year, Iranian hackers have been quietly probing US infrastructure and government networks, according to private researchers and the US Cyber Command, the Defense Department agency responsible for carrying out cyberattacks. Iranian hackers may use their access to destroy databases, or they may choose to try to access the electricity grid that powers Silicon Valley "as a way of saying, 'You may want to retaliate, but there will be consequences,'" said Suzanne Spaulding, former undersecretary for cybersecurity and critical infrastructure at the Department of Homeland Security. "'We're sitting here with a gun to your head.'"
In the past, Iran has used Hezbollah and Hamas for cyber actions, said James Lewis, a cybersecurity expert at the Center for Strategic Studies in Washington, which gives Iran a degree of deniability should they retaliate with cyberattacks.
They have also had some misfires. In 2016, the Justice Department indicted several Iranian hackers for penetrating the controls of the Bowman Avenue dam in Westchester County, New York. US officials had panicked that the incursion had been at the towering Arthur R. Bowman Dam in the state of Washington, where a breach could have been catastrophic. Instead, Iranian hackers targeted a 20-foot-high structure, where a sudden water release could have flooded the ground floors of some houses but not much more.
"They didn't have situational awareness to realise they wouldn't have any impact at all," Spaulding said.