Killing of Iranian general spurs concern about cyber retaliation

Marchers in Tehran carry photographs of senior leaders including Gen. Qassem Soleimani (second from right) at the Quds Day rally, May 31, 2019. (Photo credit: saeediex/Shutterstock.com)

Cybersecurity experts inside and outside the government are warning that the killing of Iranian General and Quds Force Commander Qassem Soleimani could lead to retaliatory attacks against U.S. interests at home and abroad, particularly against U.S. critical infrastructure.

The Pentagon confirmed late on Jan. 2 that Soleimani, who was the top Iranian military official overseeing operations in Iraq, Syria and other countries in the Middle East, was killed in a U.S. airstrike at the direction of President Donald Trump.

Iranian Foreign Minister Javad Zarif released a statement warning that his country would retaliate, saying Tehran “will tap into all its political, legal, and international capacities…in order to hold the criminal and terrorist regime of the U.S. accountable for this blatant crime." 

While Washington waits to see what form that response will take, experts say there's every reason to believe an increase in malicious cyberattacks will be a major component.

Iran and U.S. have battled in the cyber arena before. The U.S. has conducted at least three such attacks against Iran in the past 10 years: the deployment of the Stuxnet virus targeting Iran's nuclear facilities discovered in 2010 and two cyberattacks launched by the Trump administration last year after the downing of an American drone and attacks against Saudi Arabian oil tankers. Among other actions, Iran has undertaken cyber espionage, attacked the private businesses of U.S. critics and conducted influence operations.

In June 2019, Christopher Krebs, the Department of Homeland Security's top cyber official, warned that government agencies were being increasingly targeted by Iranian hackers with "wiper" malware that seizes control of computers and erases data.

He expressed concern the evening of Jan. 2 that such attacks could become more prevalent in the wake of Soleimani's death.

"Bottom line: time to brush up on Iranian [tactics, techniques and procedures] and pay close attention to your critical systems, particularly [Industrial Control Systems]," Krebs wrote on Twitter.

Acting DHS Secretary Chad Wolf held meetings Jan. 2 and 3 with top agency officials "to assess potential new threats and component actions to respond to the constantly evolving threat landscape." Wolf said in a statement "that there are currently no specific, credible threats against our homeland."

A spokesperson for the Cybersecurity and Infrastructure Security Agency told FCW in an email that the agency does not have any public comment beyond Krebs tweet at this time about what it is doing in the wake of Soleimani's death to help prepare government agencies and the private sector for such attacks.

House Homeland Security Committee Bennie Thompson (D-Miss.) echoed those concerns in a statement released the day after the strike was announced.

"I am concerned that a day later we have seen little of substance from the Administration – including the Department of Homeland Security – on how it is planning for any contingencies," Thompson said. "DHS’s core mission is to keep us safe from potential attacks, but under this Administration it has been almost singularly focused on immigration and has been without a permanent leader since April.”

The central question is just how forcefully Iranian leaders will choose to respond in the kinetic or cyber domain. The sectors historically targeted by Iranian hacking groups include financial services, oil and gas, energy, healthcare industries as well as government. Analysts have warned all are at increased risk for attack in the wake of Soleimani's killing.

Jamil Jaffer, a former Senate Foreign Relations Committee staffer and currently vice president of strategy and partnerships at IronNet Cybersecurity, told FCW that Iran's response will most likely come in two forms: physical attacks against U.S. military and other assets in the Middle East and cyberattacks within the U.S. or its allied countries.

"They have to be able to be seen to not just respond, but respond in a way that preserves at some level their national pride," Jaffer said. They also recognize that if they respond at the level they want to, they will provoke another response from the U.S. and they'll end up in an escalatory cycle they don't want to be in."

A return to the kind of cyberattacks on the U.S. banking sector and other industries that took place prior to the nuclear deal would be "a starting point" in terms of a response, along with the potential for more destructive actions like the 2014 malware attacks against billionaire Sheldon Adelson's Sands Corporation. But there's also the possibility that Tehran will feel the need to cross previously established red lines to make a point.

Private sector analysts who track Iranian hacking groups have also issued warnings. In a statement, John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye, said that U.S. government IT could be in the crosshairs for Iranian hackers, along with organizations in the financial services sector and other critical infrastructure, where Tehran has shown relative restraint since 2015.

"We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment," said Hultquist. "We also anticipate disruptive and destructive cyberattacks against the private sphere."

Robert M. Lee, a former NSA cyber warfare operations officer and founder of the cybersecurity firm Dragos, warned the strike could result in a ramping up of attacks against U.S. critical infrastructure.

"I am not an alarmist but I would sincerely advise folks working in infrastructure to understand their connections in and out of the [Industrial Control System] and be proactive in security over the next few weeks at a minimum," said Lee on Twitter shortly after the strike was announced.

Iran has spent years building up its cyber warfare capabilities and other asymmetric tools that can exact a toll on larger enemies while avoiding a direct conflict. In recent years the Trump administration's withdrawal from a multilateral nuclear deal and the execution of a "maximum pressure" campaign of financial and economic sanctions against Iran have resulted in heightened tensions between the two countries and spurred warnings from U.S. officials about the potential for cyberattacks against U.S. interests. Secretary of State Mike Pompeo claimed that Soleimani was actively planning attacks against U.S. targets in the Middle East, but the State Department has not provided details or evidence to that effect.

While hacking groups linked to the Iranian government already have a presence in the United States, recent history indicates that such activity tends to become far more active and hostile during a crisis.

In an analysis of Iranian hacker hierarchy by Recorded Future and Insikt Group last year, it was observed that following previous high-profile confrontations with the U.S. — such as the 2012 imposition of SWIFT financial sanctions — Tehran tends to abandon its "typically deliberate and methodical approach to cyber operations" and draws from a larger (but less trusted) pool of outside contractors to provide a faster, more intense cyber response.

The choice to prioritize speed over precision in these instances open up the possibility for scenarios where Iran "has difficulty controlling the scope and scale of the destructive cyberattacks once they have begun."