The Iran Cyber Warfare Threat: Everything You Need To Know

When news emerged that Iranian general Qassem Soleimani had been killed in a U.S. airstrike on January 3, speculation about an imminent cyberattack was rife. It quickly led to warnings that Iran would retaliate by hitting the U.S. and its allies with a combination of physical and cyber warfare.

And for a short moment in the early hours of Sunday, it seemed like the first Iranian-led cyberattack might have arrived. The Federal Depository Library Program website had been defaced by hackers claiming to be working for the Iranian government.

But there was no proof to link the hackers to Iran, and website defacement is a very basic compromise–hardly the work of a nation state government looking to do maximum damage.

Yet both Iran and the U.S. continue to flex their muscles. On January 4, President Trump threatened via Twitter to hit Iran “very fast and very hard.” And concerningly, Iran has now declared it will no longer abide by the nuclear restrictions outlined by the 2015 deal.

If a cyberattack was to hit the U.S. or its allies, it would be accompanied by physical warfare–the latter of which experts say will probably come first. But the U.S. remains concerned that Iran could try to attack via the cyber realm.

Over the weekend, the U.S. government issued a security alert, warning that Iran could strike so-called critical national infrastructure such as electricity grids with cyberattacks to potentially devastating effect.

So, what does the situation look like from a cyber warfare perspective and what are Iran’s capabilities?

Discovered in 2010 but believed to be in the making for years before, one of the most sophisticated state enabled cyber-assaults in recent history was the Stuxnet attack on Iran’s uranium enriching centrifuging capabilities.

“Stuxnet was blamed on the Americans and some commentators suggested Israeli involvement, which both countries deny,” Philip Ingram, a former colonel in British military intelligence, says.

However, the attack was so sophisticated that it could only have been carried out by a nation state. “Unlike other viruses that preceded it, Stuxnet was able to cause physical damage to the equipment the target computers controlled, marking a new style of cyberattack,” says Dr Max Eiza, lecturer in computer and network security at the University of Central Lancashire in the U.K.

And it had a big impact: it put the Iranian uranium enrichment programme back several years. However, says Ingram, it also launched Iran into the world of cyber effects. “They invested heavily in building cyber defences and a cyberattack capability.”

Since then Iran has been accused of perpetrating a number of cyber-assaults. One of the most well known is the attack on the Saudi Aramco oil company in 2017 utilizing the Shamoon virus–which was so devastating that the network had to be rebuilt almost from scratch.

Then in December 2018, Italian oil company Saipem was targeted by hackers utilizing a modified version of Shamoon, taking down hundreds of the company’s servers and personal computers in the UAE, Saudi Arabia, Scotland, and India.

And in November 2019, it emerged that Iranian hackers were going after a disturbing new physical target: employees at major manufacturers and operators of industrial control systems used by power grids, manufacturing and oil refineries.

“Iran has a very sophisticated broad spectrum of capabilities able to target critical national infrastructure, financial institutions, education establishments, manufacturers and more,” says Ingram. He warns that Iran has “a first world cyberattack capability.”

However, Iran is also very vulnerable. In June 2019, in response to the shooting down of an US RQ-4A Global Hawk unmanned spy plane in international airspace over the Gulf, the U.S. launched a successful cyberattack against Iranian air defence sites and command and control.

Following Qassem Soleimani’s killing, cyber will “almost certainly” play a part in the wider response that Iran will unleash on the U.S. and its allies, says Ingram.

However, he thinks it is unlikely the main revenge effort will be in the cyber domain because it “is not a strong enough revenge message for the Iranian people.”

Even so, Ingram thinks Iran will increase its cyber activities significantly. This could include the country using proxies such as North Korea in exchange for missile technologies. “It will range from the types of attacks we have seen already to possibly GPS spoofing to try and get shipping to stray into Iranian waters. Saudi Arabia and other U.S. leaning gulf states will probably bear the brunt of Iranian Cyber activity.”

Javvad Malik, security awareness advocate at KnowBe4 predicts that other players across the world could also take advantage of the scenario to launch their own attacks “and try to attribute them to Iran in order to muddy the waters.”

At the same time, Mike Beck, global head of threat analysis at Darktrace says the threat to critical national infrastructure is significant. “Sophisticated groups are using advanced software capable of going under the radar of traditional security controls and planting itself at the heart of critical systems.

“Iran will be prepared to burn accesses that they have developed over the years in a dramatic show of force, potentially impacting U.S. governments, healthcare agencies and banks.”

Vince Warrington, CEO, Protective Intelligence predicts that Iran could target U.S. and British interests in the Middle East, “especially those companies with links to Saudi Arabia.”

But there are two important components needed if Iran is to perform a significant cyberattack, points out CompTIA global faculty member Ian Thornton-Trump: “How much compromised infrastructure does Iran already own, and have they made any moves to buy access to attractive targets on the dark markets? Do they have zero-day vulnerabilities stockpiled to unleash, or have they made any moves to buy zero days?”

Even if this has been done, a cyber-assault won’t come any time soon, according to Thornton-Trump. “I think any significant cyberattack by Iran will take weeks if not months to prepare and execute–this is not a time to be cyber trigger happy.”

Iran certainly likes to boast about its cyber capabilities, but how do they compare to the rest of the world?

It is very difficult to compare the cyber capabilities of one country against those of another as most of the programmes are so highly classified only a few people will know about them, Ingram says.

However: “Russia and China are Tier 1 cyber aggressors and very close behind them comes Iran, then North Korea. It is often difficult to distinguish between different countries in cyber terms as they probably use proxies in each other’s countries to mask the true originator.  The U.S., U.K. and Israel are probably the West’s Tier 1 countries with sophisticated capabilities from both a defensive and offensive perspective.”

Iran is likely to work with other nations to launch its cyber-offensive. Ingram thinks it is “distinctly possible if not probable” that Iran and Russia would work together and “Russia use Iran as a proxy to continue to test cyber weapons, or to give Iran those weapons.”

“It would suit the Russians to use Iran as a proxy against the U.S. in a period where retaliation is expected,” agrees Beck. “The Russians could help by providing access to U.S. systems or by supercharging the Iranian cyber capability with their own cyber weaponry, helping to co-ordinate attacks with increased potency and damage.

“This alliance could escalate nation-state proxy conflicts; the prospect of an all-out cyber war involving the world’s major players is no longer a distant fiction.”

The threat is real, but even so, there is no scenario where Iran wins, says Thornton-Trump. “The U.S. and its partners have access to the transatlantic cables and ‘relationships’ with most of the global providers, which in the event of a national or international cyberattack could remove Iran from the Internet. The Americans built the internet–and they can take it away.”

A bold cyberattack may occur, but right now with inflamed sensitivities, Thornton-Trump thinks: “Why bother? Terrorists and proxies are a short term solution to ‘revenge’ an attack on critical infrastructure, which can be attributed to a wayward squirrel or human mistake. As it turns out critical infrastructure breaks all the time and to rise above the general unreliability attribution, this type of attack would take a lot of effort, preparation and  patience.”

Indeed, Thornton-Trump thinks a cyberattack on Saudi Arabia or UAE “seems more likely then confronting America or Israel head on.”

Malik agrees: “Any direct cyberattack could result in physical armed response, which is not something the government would be keen on. Rather, we'll probably see more subtle attacks that are difficult to attribute directly to Iran.”

The cyber warfare threat from Iran shouldn’t be dismissed. The country’s state sponsored hackers are capable of launching significant attacks on critical infrastructure–and they may target specific individuals and networks. But could the country’s capabilities match the U.S.? Unlikely, even if Iran was backed by another nation state with significant capabilities.