Security experts warn after US killing of top Iranian general.
Iran’s retaliation for the United States’ targeted killing of its top general is likely to comprise cyberattacks, security experts warned Friday. Iran’s state-backed hackers are already one of the world’s most aggressive and could inject malware which causes significant disruptions to the U.S. public and private sector.
Potential targets include manufacturing facilities, oil and gas plants and transit systems. A leading U.S. cybersecurity official is warning businesses and government agencies to be extra vigilant.
In 2012 and 2013, in response to U.S. sanctions, Iranian state-backed hackers completed a series of disruptive denial-of-service attacks that knocked offline the websites of major U.S. banks including Bank of America in addition to the New York Stock Exchange and NASDAQ. Two years later, they wiped servers at the Sands Casino in Las Vegas, crippling hotel and gaming operations.
The destructive attacks on U.S. targets ebbed when Tehran reached a nuclear deal with the Obama government in 2015. The killing early Friday in Iraq of Quds Force commander Gen. Qassam Soleimani – long after Trump scrapped the nuclear deal – completely alters the equation.
“Our concern is basically that things are going to go back to the way they were prior to the agreement,” said John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye. “There are opportunities for them to cause real disruption and destruction.”
Iran has been doing plenty of probing of critical U.S. industrial systems in recent years – trying to gain access – but has restricted its damaging attacks to targets in the Middle East, experts say.
It is not known whether Iranian cyber brokers have implanted destructive payloads in U.S. infrastructure that could now be triggered.
“It’s certainly possible,” Hultquist said. “But we have not ever seen it.”
Robert M. Lee, chief executive of Dragos Inc., which specializes in industrial control system security, said Iranian hackers have been very aggressive in attempting to gain access to utilities, factories, and oil and gas facilities. That doesn’t mean they’ve succeeded, however. In one case in 2013 where they did break into the control system of a U.S. dam – garnering substantial media attention – Lee stated they probably didn’t know the compromised goal was a tiny flood-control structure 20 miles north of New York City.
Iran has been increasing its cyber capabilities but is not in the same league as China or Russia – that have proved most adept at sabotaging critical infrastructure, seen in strikes on Ukraine’s power grid and elections, experts agree.
And while the U.S. power grid is among the most secure and resilient in the world, plenty of private companies and local governments have not made sufficient investments in cybersecurity and are highly vulnerable, experts say.
“My worst-case scenario is a municipality or a cooperative-type assault where electricity is lost to a city or a few neighbourhoods,” Lee said.
Consider the havoc an epidemic of ransomware attacks has caused U.S. local governments, crippling services as vital as tax collection. While there is no evidence of coordinated involvement, imagine if the aggressor – instead of scrambling data and demanding ransoms – only wiped hard drives clean, said Hultquist.
The only known cybersecurity survey of U.S. local authorities, municipal and county, found that the networks of 28% were attacked at least hourly – and that the exact same percentage said they did not even know how frequently they were being attacked. Even though the study was done in 2016, the authors at the University of Maryland-Baltimore County do not believe the situation has improved since.
The top cybersecurity official in the Department of Homeland Security, Christopher Krebs, urged companies and government agencies to refresh their knowledge of Iranian state-backed hackers’ past exploits and methods after Soleimani’s death was announced. “Pay close attention to your critical systems,” he tweeted.
In June, Krebs warned of a rise in malicious Iranian cyber activity, especially attacks using common methods like spear-phishing that could erase entire networks:”What might start as an account compromise, in which you feel you might just lose data, can quickly develop into a situation where you’ve lost your whole network.”
Wysopal said the Iranians are apt to have heard a lot from the 2017 NotPetya assault, which the U.S. and Britain have imputed to state-backed Russian hackers and which caused at least $10 billion in damage globally. The cyberattack to date, it exploited applications after being delivered via an Ukrainian tax software provider and spread on networks without human intervention.
When then-Director of National Intelligence James Clapper blamed Iran for the Sands Casino assault, it was among the first cases of American intelligence agencies identifying a particular country as hacking for political reasons: The casino’s owner, Sheldon Adelson, is a big Israel backer. Clapper also noted that the value of hacking for collecting intelligence. North Korea’s hack of Sony Pictures in retaliation for a film its leader was mocked by that followed.
The vast majority of the almost 100 Iranian targets leaked online this past year by a individual or group known as Laboratory Dookhtegan – a defector, perhaps – were in the Middle East, said Charity Wright, a former National Security Agency analyst at the threat intelligence firm InSights. She said it’s highly likely Iran will concentrate its retaliation on U.S. targets in the region as well as in Israel and the U.S.
Iran is widely believed to have been behind a catastrophic 2012 assault on Aramco, the Saudi oil company, that wiped the data from more than 30,000 computers. It was also a casualty of this Stuxnet computer virus. First uncovered in 2010, it ruined thousands of centrifuges involved in Iran’s contested nuclear program and is widely reported to have been a U.S.-Israeli invention.