This article is more than 1 year old

Cyber-warnings, cyber-speculation over cyber-Iran's cyber-retaliation cyber-plans post-Soleimani assassination

Experts reckon regional infrastructure is in the cross-hairs

With tensions soaring between America and Iran following the drone strike that killed top Persian general Qassem Soleimani, experts are weighing in on what the US could face should the Mid-East nation fully mobilize its cyber resources.

The threat of an online attack from the wannabe-nuclear state was significant enough that over the weekend the US Department of Homeland Security's National Terrorism Advisory System posted a seemingly dire alert [PDF] outlining the capabilities of Tehran's hackers.

"Iran maintains a robust cyber program and can execute cyber attacks against the United States," Uncle Sam warned.

"Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of US-based targets."

While Iran has previously targeted things like energy and oil plants with months-long hacking campaigns, the nation's ability to spark nationwide damage and panic in the US is in doubt, according to experts.

Rather, they believe, Iranian computer-security offensives would probably look more like attacks restricted to specific limited geographical regions. Of course, a region like New York City is home to millions of people, so it's not a threat that can be ignored – though it's nothing to lose your mind over.

"If an attack were to occur, the impacts would likely be limited and local," said Sergio Caltagirone, veep of threat intelligence at infosec outfit Dragos. "Industrial infrastructure worldwide is resilient but, also underprepared to defend itself. We need to do more, but fear less."

That is not to say that Iran would not be capable of wrecking or disrupting equipment remotely. FireEye director of intelligence analysis John Hultquist noted to The Register that the Mid-East country's tendency to use wiper malware infections has been particularly effective against industrial control systems.

"Iran has leveraged wiper malware in destructive attacks on several occasions in recent years," Hultquist said. "Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations."

In short, there is a real and significant threat of attacks from Iran on industrial infrastructure, though we're not likely to see anything like a sustained, widespread crippling of critical systems.

Then, there is the information warfare threat. While the defacement attacks spotted thus far have been dismissed as the work of private groups of unsophisticated "script kiddies," Iran also maintains a formidable information warfare operation of its own.


Iran says it staved off cyber attack but doesn't blame US


The use of that network could take the form of widespread disinformation efforts, say experts.

"We are already seeing Iranian disinformation efforts by these networks surrounding [the Soleimani] strike, and the US should expect that Iranian influence efforts surrounding the US will increase over the coming days or weeks as political developments evolve," said FireEye senior manager of information operations analysis Lee Foster.

"There are many similarities and some differences between Iran’s tactics in this space and those of Russia, which has received the majority of public attention regarding state-directed information operations. Iran’s efforts, in general, have been more geographically widespread than Russia’s, being directed at audiences in most parts of the globe."

Regardless of their form, cyber-attacks from Iran are largely seen as inevitable, though at the same time are nothing to panic over. Rather, admins should maintain a close eye on their networks, particularly incoming connections, and follow best security practices, particularly for embedded and industrial systems. That means putting systems behind firewalls and limiting access, using air gaps, using non-default secure passwords and multi-factor authentication if possible, keeping up with patches, and so on.

Given the Iranian's fondness for software wiping attacks, making sure backups are up to date wouldn't hurt either. ®

More about


Send us news

Other stories you might like