Iran is not likely to launch disruptive, destructive cyberattacks against the U.S. in the immediate future. While political tension between Washington and Tehran has escalated over the past few weeks, no ”red line” was actually crossed. In fact, launching an attack now would be against Iran’s interests since it would only support the Trump administration’s narrative that the rogue regime has to be further sanctioned and placed on an even tighter leash.
Finally, Iran’s leaders (and their limited cyber resources) are already occupied with domestic unrest and myriad regional conflicts that bring their own geopolitical complications: the proxy war with Saudi Arabia, military operations in Syria, involvement in Iraq and Yemen and support of Hezbollah and Hamas.
Iran’s supreme leader, Ayatollah Ali Khamenei, vowed to respond to the U.S. for the nation’s alleged role in turning peaceful protests over the economy into anti-government demonstrations in an attempt to overthrow the regime. Perhaps this threat was only made to control the narrative political observers are telling and divert media attention from the violent crackdown of protesters that left 25 people dead, hundreds injured and thousands arrested by the Basij and the IRGC forces.
So far, Trump’s threats to pull out of the nuclear agreement, also known as the Joint Comprehensive Plan of Action (JCPOA), haven’t triggered an Iranian cyberattack against the U.S. But neither did the sanctions the U.S. placed on Iran for violating human rights or supplying weapons to the Houthi rebels in Yemen, violating UN sanctions.
Exiting the deal could trigger an attack
But that doesn’t mean Iran won’t launch a cyberattack against the U.S. if the Trump administration shows less restraint in handling JCPOA, especially if the U.S. abandons the deal, which is a possibility. On Jan. 12 President Trump certified the deal but said this was the final time he would do so. The U.S. Congress requires the president to certify the deal every 90 days.
Any threat of an Iranian cyberattack should not be taken lightly considering the government’s penchant for retaliating against entities that have supposedly wronged the nation. This approach could lead to an asymmetrical retaliation at a time and place of their choosing. Iran has shown a certain degree of technical capability along with impressive skills in social engineering. Compromising a few high value targets with basic tools can lead to a successful campaign.
Iran has already conducted several disruptive, destructive operations against U.S. targets - the 2012 DDoS attack on financial institutions dubbed Operation Ababil, the 2013 attack on the Bowman Dam in Rye Brook, New York, and the 2014 wiping attack against the Sands Hotel and Casino.
here's how iran could attack
Iran has shown that it can learn from the cyberacitivities of other nations. For example, Iranian hackers studied the hacking tools that were used against them and developed their own tools and tactics. Iran has the technical capability to retaliate against the U.S. Should they choose to do so, here are the most likely options:
Wiping attacks
Iranian hackers have experience conducting large scale and well-orchestrated wiping attacks. Iranian hackers developed a disk wiping malware called Shamoon (also called DistTrack) that was used in attacks against Saudi Aramco, RasGas (a joint operation of Qatar Petroleum and ExxonMobil) in 2012. Both attacks shut down the company websites and email systems for several days, but didn’t affect computers that controlled oil and gas production. An iteration of the malware dubbed Shamoon 2 targeted Sadara Chemical in November 2016.
The Sands Hotel and Casino was targeted by an Iranian wiping attack in February 2014, resulting in three-quarters of the company’s servers getting wiped and costing Sands $40 million in data recovery and equipment costs. The attack was likely provoked by a speech Sands CEO Sheldon Adelson made the previous October during which he advocated for stronger threats of nuclear attacks against Iran.
Finally, in December 2016 another attack targeted several Saudi government agencies, in an effort to influence an OPEC summit.
Destructive attacks against SCADA systems
Iranian hackers have infiltrated networks using espionage tools and spying operations although they have yet to show that they can manipulate SCADA systems.
But as a 2013 breach at small dam in Rye, New York, shows, Iranians are interested in hacking industrial control systems. In that incident, an Iranian hacker infiltrated a server that controlled the dam’s SCADA system, allowing the attacker to operate the sluice gate that controls water flow. However, the gate was offline for maintenance at the time of the breach, preventing the hacker from operating it.
DDoS attacks
If Iran lacks a botnet large enough to conduct a DDoS attack, they could use the assistance of non-government Iranian hackers as they have done in the past or rent to the infrastructure from darknet hackers. DDoS attacks marked Iran’s first foray with retaliating via the Web. In December 2011, Iranian hackers conducted sporadic and later frequent DDoS attacks against numerous U.S. financial institutions. These attacks continued until May 2013, disrupting businesses, preventing hundreds of thousands of banking customers from accessing their accounts online and costing victims tens of millions of dollars. Today, however, DDoS attacks are less effective since DDoS protection products are widely available.
US ACTIONS IN THE COMING MONTHS WILL DETERMINE IF IRAN STRIKES
Iran has not launched a cyberattack against the U.S. but that doesn’t mean it won’t decide to in the future. Iran likely has remote access to certain networks, servers and computers in the U.S., but the situation hasn’t escalated to the level where the country’s leaders feel compelled to use them in attack.
Media reports suggest that Iranian cyberactivity in the U.S. has dropped since the nuclear deal was signed in 2015, but those reports do not accurately reflect the situation. In reality, Iran’s cyber activity has only appeared to drop since the country’s campaigns aren’t caught as often as they were in the past. In fact, Iran has likely started setting the ground for future cyberattacks using the “low and slow” strategy of residing in a target’s network, studying network activity for a long period of time and building custom tools and exploits. In fact, Iran created the StoneDrill wiping tool for this very purpose.
Internal instability along with threats coming from the U.S. put Iran in an uncomfortable position. This conflict could easily turn into actions in the cyberdomain in order to deter the U.S. or retaliate against the country. How the U.S. handles the nuclear deal in the coming months will determine whether Iran uses its resources to launch an attack against the U.S. or continues to infiltrate networks and build its infrastructure until the regime decides to act.