Here’s What a Cyber Attack by Iran Might Look Like

Experts warn that Iran might turn to its growing army of hackers.

US helicopters attacked a convoy carrying Qassim Soleimani Thursday.Abaca via ZUMA

Fight disinformation: Sign up for the free Mother Jones Daily newsletter and follow the news that matters.

The government of Iran vowed “forceful revenge” against the United States after Thursday’s killing of Major Gen. Qassem Soleimani, Iran’s top security and intelligence commander. It’s unclear what form that revenge might take, but cyber security experts are warning that Iran might use its increasingly capable army of hackers to attack US government and private sector targets. Such an operation could cause substantial damage without the use of more traditional military techniques.

“Soleimani was an extremely significant figure, and Iran will likely use any assets at its disposal to retaliate in a way that won’t spark an all out war,” Jake Williams, a former NSA hacker currently with Rendition Infosec, a company he founded after leaving government work, told Mother Jones. “I would expect to see destructive cyber attacks in at least a few networks where Iranian government hackers already have a presence.”

Williams said that in cases where nations are trying to avoid full-scale military conflict, “cyber attacks definitely level the playing field [and] allow you to create a response that impacts many without (generally) fearing kinetic retaliation.” Williams noted that Iran’s cyber capabilities are still “rudimentary” compared to Russia and China. Still, he said, Iran has hackers who are “building custom backdoors,” theoretically granting them access to sensitive computer systems.

John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye, said in a statement that along with increased Iranian espionage activities targeting government systems, his firm is anticipating “disruptive and destructive cyber attacks against the private sphere.” Iran has carried out this type of activity in the past, but in the wake of the 2015 US-Iran nuclear deal, “Iran has restrained similar activity to the Middle East.” President Donald Trump withdrew the US from that deal and reimposed sanctions on Iran in 2018. And after Thursday’s assassination, Iranian “resolve to target the US private sector could supplant previous restraint,” Hultquist said.

There’s little reason to think that Iran could pull off a truly spectacular attack, such as disabling major electric grids or other big utilities, said Robert M. Lee, an expert in industrial control systems security and the CEO of Dragos. “People should not be worried about large scale attacks and impacts that they can largely think about in movies and books like an electric grid going down.” Instead, Iran might choose targets that are less prominent and less secure. “The average citizen should not be concerned,” he said, “but security teams at [US] companies should be on a heightened sense of awareness.”

In June, Chris Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, warned of a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” adding that Iranian-linked hackers were “increasingly using destructive ‘wiper’ attacks,” in which malware is designed to delete data from a computer. “What might start as an account compromise, where you might just lose data, can quickly become a situation where you’ve lost your whole network.”

Krebs’ June comments came amid spiraling tensions between the two countries after the US blamed Iran for attacks on oil tankers in the Gulf of Oman. Shortly after the tanker attacks, Iran shot down a US drone it said was flying in Iranian airspace. Trump reportedly ordered airstrikes on Iranian targets after the drone incident but called them off at the last minute. Instead, the US government reportedly launched a cyber attack on Iranian computer systems used for planning attacks on the oil tankers. On Friday morning, Krebs tweeted out his June statement, noting that it was once again relevant “given recent developments.”

Under the Trump administration, the US government’s approach to cyber tools has become much more assertive than under the Obama administration, which relied much more on “norms, diplomacy, active law enforcement, and dissuasion and deterrence” to tamp down on nation-to-nation cyber attacks, Jacqueline G. Schneider, a cybersecurity expert at the Naval War College, wrote in May. That said, it was the Obama administration—building off work done under President George W. Bush—that deployed the Stuxnet malware against Iran’s nuclear program, marking a major milestone in the evolution of cyber warfare.

Like many other nations, Iran uses its cyber capabilities to accomplish a variety of goals, ranging from traditional espionage to relatively simple denial of service attacks to more destructive operations. In December 2018, Wired magazine’s Lily Hay Newman explained the history of a particular strain of malware known as Shamoon, which is designed to steal information and then wipe data from the targeted computers. While definitive attribution of cyber attacks can be difficult, over the years researchers have tied the malware to Iran and have seen it used against energy companies.

The first know Shamoon strike was a 2012 attack on Saudi Aramco, which deleted files on a majority of the oil company’s computers, replacing them with images of a burning American flag, the New York Times reported at the time. Also in 2012, Iran employed denial of service attacks against a group of US banks, overloading computer servers with traffic in order to render them inaccessible. In 2014, Iranian hackers attacked computer servers at casinos belonging to the Sheldon Adelson’s Sands company. Adelson, a prominent billionaire who is active in right-wing and pro-Israel causes, said in 2013 that the US should threaten to drop a nuclear bomb on Tehran.

Williams said attacks along the lines of Shamoon could happen now—but with one key difference. They would be carried out by hackers whose skills have “progressed significantly in the last several years,” potentially resulting in more damage than before.

Still, Lee said that when it comes to critical infrastructure, Americans shouldn’t panic. “Our infrastructure deserves more protection but is safe and largely resilient,” he said. “We should do more, but fear less.”

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

WE'LL BE BLUNT

It is astonishingly hard keeping a newsroom afloat these days, and we need to raise $253,000 in online donations quickly, by October 7.

The short of it: Last year, we had to cut $1 million from our budget so we could have any chance of breaking even by the time our fiscal year ended in June. And despite a huge rally from so many of you leading up to the deadline, we still came up a bit short on the whole. We can’t let that happen again. We have no wiggle room to begin with, and now we have a hole to dig out of.

Readers also told us to just give it to you straight when we need to ask for your support, and seeing how matter-of-factly explaining our inner workings, our challenges and finances, can bring more of you in has been a real silver lining. So our online membership lead, Brian, lays it all out for you in his personal, insider account (that literally puts his skin in the game!) of how urgent things are right now.

The upshot: Being able to rally $253,000 in donations over these next few weeks is vitally important simply because it is the number that keeps us right on track, helping make sure we don't end up with a bigger gap than can be filled again, helping us avoid any significant (and knowable) cash-flow crunches for now. We used to be more nonchalant about coming up short this time of year, thinking we can make it by the time June rolls around. Not anymore.

Because the in-depth journalism on underreported beats and unique perspectives on the daily news you turn to Mother Jones for is only possible because readers fund us. Corporations and powerful people with deep pockets will never sustain the type of journalism we exist to do. The only investors who won’t let independent, investigative journalism down are the people who actually care about its future—you.

And we need readers to show up for us big time—again.

Getting just 10 percent of the people who care enough about our work to be reading this blurb to part with a few bucks would be utterly transformative for us, and that's very much what we need to keep charging hard in this financially uncertain, high-stakes year.

If you can right now, please support the journalism you get from Mother Jones with a donation at whatever amount works for you. And please do it now, before you move on to whatever you're about to do next and think maybe you'll get to it later, because every gift matters and we really need to see a strong response if we're going to raise the $253,000 we need in less than three weeks.

payment methods

We Recommend

Latest

Sign up for our free newsletter

Subscribe to the Mother Jones Daily to have our top stories delivered directly to your inbox.

Get our award-winning magazine

Save big on a full year of investigations, ideas, and insights.

Subscribe

Support our journalism

Help Mother Jones' reporters dig deep with a tax-deductible donation.

Donate