Cyberattacks Only One of Iran’s Options for Retaliation

Editor’s Note: This story has been updated to clarify a statement from Jon Bateman.

It’s not clear yet whether the Iranian missile strikes against US bases in Iraq are the end of Tehran’s response to the targeted killing of one of its top military officials, analysts and experts told Air Force Magazine. But the strikes underline the fact that possible cyberattacks against US utilities or other vital industries—widely anticipated after the Jan. 3 killing of Gen. Qassem Soleimani—are only one of the ways Iran might respond.

“Iran has historically turned to cyber operations when they wanted to exert national power without provoking direct military confrontation with the United States and its allies,” said Sean Kanuck, who was the US national intelligence officer for cyber—effectively the nation’s top cyber intelligence analyst—from 2011-16.

Nation-state cyber operations, even when they’re attributed by careful forensic analysis, generally offer at least a figleaf of plausible deniability to the attacker, said Kanuck. “It’s like the Russian invasion of Crimea … Everybody knew [the so-called little green men] were Russian military personnel, but Moscow could claim they were not.”

But the Jan. 7 missile strikes against US forces in Iraq, even if they were calibrated—as some have speculated—to minimize possible casualties, suggest that may not be an issue right now, he added. “I think that line has been crossed … The gloves are off.”

That mental change also provides another reason Iran might choose not to rely on cyber power for any future responses, Kanuck explained: Tehran wants something “more sensational, … more grandiose” than a digital attack.

“A big hole in the ground is probably more to their liking at this point,” said Kanuck.

But Kanuck and others noted that certain kinds of cyber attack could have a kinetic effect, and that cyber operations could also be used to enable, for instance, terrorist strikes or assassinations—a so-called “blended attack.”

“If you have cruise missiles and aircraft carriers, you can reach out across the world and strike your enemies,” Kanuck said, “If you don’t, you have to use human agents or remote digital access” to get at your targets.

Iran is viewed by US intelligence agencies as one of the nation’s top cyber adversaries—alongside Russia, China, and North Korea—according to last year’s World Wide Threat Assessment from Director of National Intelligence Dan Coats. But their effectiveness is as much a product of their aggressive posture as any technical virtuosity. “While they may not be as technically sophisticated as others, they have certainly been successful in cyber offensive operations,” said Kanuck.

“In cyber, you don’t have to be the best. Good enough is good enough,” he added.

The operations Kanuck was referring to—denial of service attacks against US banks in 2012 and a series of continuing attacks against Saudi and Emirati oil and gas companies starting that same year—have become notorious among cyber experts. In particular, Iranian hackers have pioneered the usage of data destruction as a cyberattack. In 2012, they deployed this new technique for the first time on the network of oil giant Saudi Aramco. Shamoon, as the malware was called, deleted vital parts of the operating system of computers it infected—rendering 35,000 workstations useless and costing tens of millions of dollars to repair.

Iranian hackers have even broken new ground in their use of one of the oldest and crudest forms of cyberattack—distributed denial of service. DDoS attacks, which flood the targeted network with bogus data so real users can’t access the system, are generally considered among the lowest tier of cyber attacks, since they are relatively easy to launch and often just as easy to mitigate

But Iran’s DDoS attacks against US banks in 2012 were innovative: The first to employ large commercial data centers in an attack. Repeated waves of attacks over several months succeeded in knocking offline the public websites of several large US banks, sometimes for days at a time—no mean feat, considering the enormous resources at the disposal of such organizations. Still, the effect on customers was limited to an inconvenience.

What really worries cyber experts is the prospect of a data wiping attack on a bank. “That is the nightmare scenario,” said attorney Peter Marta of Hogan Lovells, the former global head of cybersecurity law for J.P. Morgan Chase.

“With the right access a sophisticated attacker could wipe data, change account balances, even initiate transactions,” Marta said. “Imagine the impact that would have.”

The reputational damage of such an attack would be incalculably severe, even if it were conducted against a small regional institution, he noted. “Just to prove it were possible, even against a lower tier institution, could start a run on banks” everywhere, Marta said. That is worrying, because although the large global banks probably have the most sophisticated and effective cyber defenses on the planet, smaller banks don’t.

“The [banking] system is really only as strong as its weakest link,” he said.

Equally worryingly, Iranian hackers have shown signs they are developing attacks aimed at special kinds of software called industrial control systems. ICS software that control machinery in facilities like power stations, oil refineries, and water systems. In 2013, according to the Justice Department, Iranian hackers broke into the computer network of a small dam in upstate New York and tried to open sluice gates by manipulating ICS software.

“Their level of awareness and capability [about specialized ISC software] has grown since then,” noted former DIA Iran cyber analyst Jon Bateman, now a scholar at the Carnegie Endowment for International Peace.

The high water mark of ICS attacks came in December 2015, when Russian hackers knocked down part of the power grid in Ukraine.

Hacking ICS might allow Iran to cause an explosion at a petrochemical plant, or temporarily disrupt electricity supply or municipal services in a small US town, Bateman said. But even a data wiping attack could cause deaths indirectly, if it were aimed at a hospital.

In calibrating their response, Bateman added, the Iranian leadership was seeking to “show defiance and strength to three different audiences”—the United States, the international community, and Iranians themselves.

The blow had to be hard enough to demonstrate Iranian resolve, but not so hard that it brought international opprobrium or a US military response.

Bateman said the Jan. 7 missile strike satisfied the last two criteria by not provoking a response. But, “It’s hard to say, probably even for the Iranian leadership themselves at this point,” whether it met the first threshold, and would satisfactorily display their defiance. He added it was doubtful a purely cyber attack without a kinetic impact would satisfy the regime. “They want war-like damage,” he said.

For that reason, the defacement hacks against some government websites over the weekend were likely the acts of regime supporters or mischief makers rather than Tehran’s own cyber warriors, a US official said on background.

Iran also still has proxy forces like Hezbollah and the Palestinian Islamic Jihad, noted Jim Baker, a former senior FBI official who now directs national security and cybersecurity at the R Street Institute think tank. He said public US intelligence assessments stated Iranian backed terror groups had global networks and the capacity to strike against US targets all over the world, even potentially in the United States itself.

“If the Iranians wanted them to do something,” said Baker. “I’m confident they would try to do it.”

And that’s just what US agencies fear. In a joint DHS/FBI intelligence bulletin circulated to law enforcement agencies across the country on Jan. 8, and reported by CNN, officials warned of the possibility of Iranian proxy strikes against the homeland. 

“Potential targets and methods of attack in the Homeland could range from cyber operations, to targeted assassinations of individuals deemed threats to the Iranian regime, to sabotage of public or private infrastructure, including US military bases, oil, and gas facilities, and public landmarks,” the agencies wrote.

“If the number one threat is some kind of assasination or terror attack,” explained Bateman, “I think the way they use cyber is in a blended attack or as an enabler”—using cyber espionage to locate a high ranking US official for assasination or kidnapping for example, or for targeting an attack on shipping.

Another kind of blended attack would use Iran’s sophisticated information warfare capabilities, Bateman said. “They could combine attacks on US targets [by proxy forces in a regional country like Iraq] with misinformation campaigns designed to build public support for and participation in” such attacks, he said.

In any case, Bateman added, though the targeted killing of Soleimani was a huge event, it was also only the latest peak in an ongoing “slow boil conflict” between the US and Iran. “The crisis will continue,” he said, ”There will be other events.”

Beyond that, it was foolish to speculate, added Baker. “Anyone who tells you they know what’s going to happen next is being very overconfident,” he said.