How Iran’s Hackers Might Strike Back After Soleimani’s Assassination

For years, US tensions with Iran have held to a kind of brinksmanship. But the drone assassination of Iranian general Qasem Soleimani, widely understood to be the second most powerful figure in Iran, has dangerously escalated tensions. The world now awaits Iran’s response, which seems likely to make new use of a tool that the country has already been deploying for years: its brigades of military hackers.

In the wake of Thursday’s strike, military and cybersecurity analysts caution Iran’s response could include, among other possibilities, a wave of disruptive cyberattacks. The country has spent years building the capability to execute not only the mass-destruction of computers but potentially more advanced—albeit far less likely—attacks on Western critical infrastructure like power grids and water systems.

“Cyber is certainly an option, and it’s a viable and likely one for Iran,” says Ariane Tabatabai, a political scientist at the RAND think tank who focuses on Iran. Tabatabai points to the asymmetric nature of a conflict between Iran and the US: Iran’s military resources are depleted, she argues, and it has no nuclear weapons or powerful state allies. That means it will most likely resort to the weapons that weak actors typically use to fight strong ones, like non-state terrorists and militias—and hacking. “If it’s going to be able to match the US, and compete with and deter it, it has to do it in a realm that’s more equal, and that’s cyber.”

Iran has ramped up its cyberwar capabilities ever since a joint US-Israeli intelligence operation deployed the malware known as Stuxnet in the Natanz uranium enrichment facility in 2007, destroying centrifuges and crippling the country’s nuclear efforts. Iran has since put serious resources into advancing its own hacking, though it deploys them more for espionage and mass disruption than Stuxnet-like surgical strikes.

“After Stuxnet, they built up multiple units across government and proxies, including the Quds that Soleimani led,” says Peter Singer, a cybersecurity-focused strategist at the New America Foundation. Singer argues that while Iran’s hackers had previously been restrained by the need for stealth or deniability, they may now instead seek to send a very public message. “Those forces aren’t equal to those of the US, certainly, but they have the capability to cause serious damage, especially if they’re not worried about attribution, which they may indeed now want.”

The most likely form of cyberattack to expect from Iran will be the one it has launched repeatedly against its neighbors in recent years: so-called wiper malware designed to destroy as many computers as possible inside target networks. Iran has used wipers like Shamoon and Stone Drill to inflict waves of disruption across neighboring countries in the Middle East, starting with an attack in 2012 that destroyed 30,000 Saudi Aramco computers. In 2014, Iranian hackers hit the Las Vegas Sands corporation with a wiper after owner Sheldon Adelson suggested a nuclear strike against the country. More recently, Iran’s hackers have hit private-sector targets in neighboring Gulf states like the UAE, Qatar, and Kuwait, as well as Saipem, an Italian oil firm for whom Saudi Aramco is a major customer.

“From what we know to date of their capabilities, they’re still really focused on IT-targeted wipers.” says Joe Slowik, an analyst at industrial cybersecurity firm Dragos who formerly led the Computer Security and Incident Response Team at the US Department of Energy.

Aside from the Sands incident, Iran has largely restrained itself from launching those wiper attacks on the US itself. But the Soleimani assassination may change that calculus. “Iran has been reluctant to go after Americans and US allied forces such as Australia or NATO,” says RAND’s Tabatabai. “Given the scale of last night’s attack, I wouldn’t be surprised if that’s changed.”

While arguably the most likely form of attack, wipers aren’t the only potential threat. Dragos and other cybersecurity firms like FireEye and CrowdStrike have recently observed Iranian hacking groups like APT33, known also as Magnallium or Refined Kitten, looking for points of ingress into potential targets in the US, including the Department of Energy and US National Labs. Those attempted intrusions may well have been intended for espionage, but could also be used for disruption. “We’re not sure if it’s intelligence collection, gathering information on the conflict, or if it’s the most dire concern we’ve always had, which is preparation for an attack,” FireEye’s director of threat intelligence John Hultquist told WIRED in June.

Some security researchers have also warned that Iran appears to be developing hacking abilities that could directly target industrial control systems—rather than merely attacking computers, reaching out to disrupt physical systems as Stuxnet did in Natanz. Microsoft noted in November that APT33 had attempted to gain access to the networks of industrial control system suppliers, a possible first step in a supply chain attack that could be used for acts of sabotage. “They’ve been trying to get their foot in the door in a lot of places,” says Dragos’ Joe Slowik.

Slowik also points to a leak of Iranian documents carried out by mysterious hackers that seemed to reveal an attempt to create malware for the kind of industrial control systems used in power grids and water systems, though the project appears to have been shelved.

Despite the signals Iran has ambitions of targeting industrial control systems, Slowik argues they’re likely still not ready to carry out attacks of that sophistication. “It would be a significant escalation in terms of patience, capability, and long-term targeting,” Slowik says. That makes simpler but nonetheless highly disruptive wiper attacks far more likely.

Regardless, Iran-watchers warn that any cyberattack designed as payback for Soleimani’s assassination likely won’t be the end of the story. While cyberattacks may offer a quick, low-stakes option for a response, Iran will likely see the killing of an official as powerful as Soleimani as requiring a more dramatic, physical counterattack.

“Taking out a leader like Soleimani is such a grave act, it’s going to warrant a very public response,” says Chris Meserole, a fellow at the Brookings Institution’s Foreign Policy Program. “Cyberattacks will allow them to immediately show they won’t sit idly by. But I can’t imagine it’s the sole way they’ll respond.” Rather than turning to cyberwar as a substitute for bombs and bullets, as Iran sometimes has in the past, it may now use all of the above.

More Great WIRED Stories

Read More