Iran-Linked Hackers Said to Be Ready for Attacks on U.S. Targets

Even if real war doesn’t start, a cyberwar may soon be underway, experts say.

Protesters gather in front of the White House to speak out against a possible war with Iran on June 23.
Protesters gather in front of the White House to speak out against a possible war with Iran on June 23. Tasos Katopodis/Getty Images)

Amid an intensifying standoff between Washington and Tehran, hackers linked to Iran have in recent weeks stepped up their operations in cyberspace in what appear to be preparations for possible attacks on U.S. businesses, according to American security firms and government officials. 

The increased Iranian activity in cyberspace comes as Tehran announced on Monday that its stockpiles of low-enriched uranium have exceeded limits established in the 2015 nuclear agreement inked by Iran and world powers. The announcement sets the stage for renewed confrontation between Iran and the United States, which may well play out online as Washington and Tehran attempt to inflict pain on one another. 

For observers of cyberconflict, Iran’s preparations for an attack represent the possible beginning of a new phase in cyberwarfare, in which countries trade tit-for-tat attacks in cyberspace. 

Late last month, President Donald Trump canceled a planned strike on Iran intended to retaliate for the shootdown of a U.S. drone near Iranian airspace. With the American attack projected to kill 150 Iranians—which the president said would not be “proportionate”—Trump found a ready, less bloody option by striking back at Iran through cyberspace. Those attacks reportedly targeted Iran’s intelligence units behind the tanker attacks and knocked command and control systems for the country’s missile systems offline. 

Projecting power through cyberspace is now a method of statecraft, but it usually involves one country striking another rather than a skirmish. “We’ve never really seen a back-and-forth between two countries,” said Sergio Caltagirone, the vice president of threat intelligence at the cybersecurity firm Dragos and a veteran of the U.S. National Security Agency (NSA).

Should Iran strike back against the United States, “we are seeing the dawn of cyberwar,” Caltagirone said. 

Iran has retaliated against the United States in cyberspace before, striking the oil giant Saudi Aramco in 2012 in an apparent retaliation for an American cyberoperation aimed at damaging Iran’s nuclear infrastructure. But recent Iranian preparations raise the prospect of more immediate, fast-paced exchanges, and U.S. cybersecurity firms have in recent weeks observed the escalating Iranian activity with alarm.

Beginning the week of June 11, around the time of the first of a pair of attacks on ships in the Gulf of Oman that U.S. officials have blamed on Iran, Iran-linked hackers began targeting energy and financial companies in an attempt to establish access on their networks. 

The attacks relied on spearphishing, the use of a targeted email to get a user to click on a link to download malware or give up his or her credentials, and password spraying, a type of brute-force attack in which a hacker tries a number of different passwords to gain access to an account. 

“It was wide and loud and against the U.S., which we hadn’t seen them do in 2019,” said Ben Read, the senior manager for cyber-espionage analysis at the security firm FireEye. 

The Iranian attempts to gain access to the computer systems of key American firms has also caught the attention of the U.S. government, which is warning U.S. businesses to be on guard.

“When you combine this increase with past destructive attacks launched by Iranian-linked actors, we’re concerned enough about the potential for new destructive attacks to continue sounding the alarm,” Christopher Krebs, the head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said in a statement to Foreign Policy

With relations between the United States and Iran balanced on a knife’s edge, Iranian operatives are doing the work necessary to be able to digitally strike at the United States, researcher say. In the past two to three months, the cybersecurity firm Recorded Future has observed the registration of more than 1,200 command and control domains linked to Iran, more than 700 of which are active. 

“What we are seeing is preparation of the environment for attacks,” said Priscilla Moriuchi, another NSA veteran and the director of strategic threat development at Recorded Future.

Analysts caution that these preparations do not imply that Iran is planning to carry out destructive cyberattacks against the United States. They could also be preparation for espionage. Companies may already have been breached but may not be aware of it yet. 

Cybersecurity researchers say the most recent destructive attack linked to Iran occurred in December, when the country’s operatives struck the Italian petrochemical firm Saipem. That attack immobilized between 300 and 400 company computers and was carried out using a variant of the Shamoon malware, which was used in the 2012 attack on Saudi Aramco. 

But cyberattacks cannot be carried out at the drop of a hat and require access to sensitive systems in order to succeed. The flurry of activity in recent weeks may indicate that Iran was ill-prepared for conflict with the United States and that recent rounds of escalation have left commanders in Tehran searching for new ways to strike at Washington. 

Where these preparatory operations will take Iran remains unclear, and Caltagirone describes Tehran’s actions as an attempt to catch up to U.S. capabilities against Iran. 

“We are waiting and watching,” Caltagirone said. “Fundamentally the ball is in the Iranians’ court right now.”

 Twitter: @EliasGroll