Iran is considered one of Washington’s primary adversaries in cyberspace, and has shown a willingness to go after government and civilian targets.
Almost immediately after news broke that the United States had killed Gen. Qassem Soleimani, a high-profile Iranian military commander, in Iraq, John Hulquist’s inbox was already filling up.
“I was getting inquiries within an hour from customers who were concerned about the threat to them,” said Hulquist, the director of intelligence analysis at FireEye, a cybersecurity company that works with many Silicon Valley companies.
Cybersecurity professionals across the U.S. expressed a mixture of concern and caution Friday, with many explicitly saying that they are gearing up for potential retaliation from Iran, which has already proven in recent years to be a formidable adversary in the cyber realm.
Iran is considered one of Washington’s primary adversaries in cyberspace, and has shown a willingness to go after government and civilian targets. While Iran has also engaged in social media disinformation campaigns and hackers have defaced websites, cybersecurity experts who spoke with NBC News said they’re particularly concerned about potential breaches of major U.S. companies and government agencies that work with crucial infrastructure.
Michael Daniel, who served as cybersecurity adviser to President Barack Obama, said Iran’s response will be measured, but that companies should be on alert.
“If I were advising the pizzeria down the street, I’d say you’re probably not high on the target list, but if you’re operating a critical infrastructure or a high-profile, large corporation, I would raise the alert status for your cybersecurity teams,” said Daniel, who is now the president of the Cyber Threat Alliance, which pools cyberintelligence from a number of cybersecurity companies, and which has created a dedicated communications channel to discuss Iranian intelligence.
It’s been more than five years since the last publicly known Iranian cyberattack on an American target, when the Sands Casino in Las Vegas was infected after its owner, Sheldon Adelson, suggested nuking Iran in a speech.
The Sands hack was what is known as a “wiper” attack, a hallmark of Iranian cyber tactics. Rather than steal a network’s files, or hold them for payment like ransomware, wiper attacks simply delete the systems they infect to maximize damage. Such public attacks stopped around the time the Obama administration began negotiating the Joint Comprehensive Plan of Action, which became commonly known as the Iranian nuclear deal.
But Iran has stayed active in the Middle East, regularly attacking industrial targets in Saudi Arabia and other neighboring countries. In December, IBM announced it had responded to numerous wiper attacks from Iran against Gulf nations in 2019.
Iran has also continued efforts to infiltrate American companies through the internet. In June, the Department of Homeland Security, as well as private cybersecurity firms like FireEye, warned of an ongoing Iranian phishing campaign targeting some Americans that began after the Trump administration increased sanctions on Iran.
Chris Krebs, Homeland Security’s top cybersecurity official, recirculated that warning Thursday. There are no publicly known infections from that campaign, though, and no indication of whether the campaign intended simply to spy on targets or to escalate into something more destructive.