When the US last tightened its sanctions against Iran in 2012, then-president Barack Obama boasted that they were “virtually grinding the Iranian economy to a halt.” Iran fired back with one of the broadest series of cyberattacks ever to target the US, bombarding practically every major American bank with months of intermittent distributed denial of service attacks that pummeled their websites with junk traffic, knocking them offline. Three years later, the Obama administration lifted many of those sanctions in exchange for Iran’s promise to halt its nuclear development; Tehran has since mostly restrained its state-sponsored online attacks against Western targets.
Now, with little more than a word from President Trump, that détente appears to have ended. And with it, the lull in Iranian cyberattacks on the West may be coming to an end, too.
President Trump announced Tuesday that he would unilaterally withdraw the US from the Iran nuclear deal negotiated by the Obama administration in 2015, and impose new sanctions against the country within 90 days. Since then, foreign policy watchers have warned that the move would isolate the US, risk further destabilizing the Middle East, and invite another nuclear rogue nation into the world. But for those who have followed the last decade of digital conflicts around the globe, the unraveling of the Iran deal reignites not only the country’s nuclear threat, but also the threat of its highly aggressive hackers—now with years more development and training that have only honed their offensive tactics.
“They’ve developed this ability over the last years and there’s no reason for them not to use it now,” says Levi Gundert, an Iran-focused analyst at private intelligence firm Recorded Future. “They want to try to induce other countries to think about repercussions before levying sanctions, and they have a real capability in the cyber domain.”
‘Now all bets are off.’
Levi Gundert, Recorded Future
For the last decade, the cybersecurity community has watched with growing dismay as Iranian state-sponsored hackers have slowly built up their capabilities and occasionally used them in brazen, chaotic offensive operations that have destroyed data on tens of thousands of computers, and threatened more serious critical infrastructure attacks. The NSA has even warned internally that Iran appears to be learning from the US hacking operations that have at some points targeted the country.
But since the 2015 nuclear deal, Iran has largely restricted its hacking to its own neighborhood, repeatedly hitting its longtime rival Saudi Arabia and other Gulf nations with cyberattacks but limiting its attacks on Western targets to mere cyberespionage, not actual disruptive operations. (One exception was the Iranian extortion attack against HBO last summer, whose perpetrator had ties to the Iranian government but seems to have hacked the television network independently.)
With the Iran pact crumbling, expect that restraint to evaporate too, warns Gundert. “Most of the destructive attacks were pre-2015. Then we had the Iran deal,” he says. “Now all bets are off.”
Iran’s abrupt entrance into the digital arms race came in 2012, when state-sponsored Iranian hackers calling themselves the Cutting Sword of Justice used a piece of malware called Shamoon to overwrite the files of 30,000 machines on the network of energy company Saudi Aramco with a file that displayed the image of a burning American flag. A similar malware infection struck Qatari gas firm RasGas soon after. The attacks, which temporarily paralyzed the IT operations of one of the world’s largest oil companies, is widely seen as retaliation for Stuxnet, the NSA- and Israeli-created malware that was unleashed against the Natanz Iranian nuclear facility in 2010 to destroy its enrichment centrifuges.
The blitz against American banking websites came the following month. Known as Operation Ababil, the campaign claimed to come in response to an anti-Muslim YouTube video called “the Innocence of Muslims.” But the US government interpreted the attacks instead as a retaliatory measure against Stuxnet and escalating sanctions. “It’s important to remember that they’ve flexed this muscle before,” says John Hultquist, director of research at private intelligence firm FireEye, which has closely tracked Iranian state-sponsored hacking.
It’s not certain if new sanctions will produce the same response from Iran now, says Rob Knake, a former White House cybersecurity official in the Obama administration who was closely involved in the response to those attacks. He points out that the Obama White House largely brushed off the bank attacks in an effort to get the Iranians to the negotiating table. Iran may fear that the Trump administration and its hawkish national security adviser John Bolton would instead respond in kind. “They might now have a different view of our response if they escalate in cyberspace,” Knake says.
‘Iranian actors will at least start probing critical infrastructure again, and start on the path toward attack capabilities in the West.’
John Hultquist, FireEye
But Iran has retaliated for less. In 2014, Iranian hackers used a malware infection to inflict $40 million in data destruction at the Sands Casino in Las Vegas. The casino’s owner, vocal pro-Israel billionaire Sheldon Adelson, had made public comments suggesting the US detonate a nuclear bomb in Nevada as a demonstration to Iran of what would happen to the country if it continued pursuit of its nuclear weapons program. After the devastating attack on the Sands, attackers calling themselves “the Anti-WMD Team” left behind a message on the casino’s computers reading “Encouraging the use of Weapons of Mass Destruction, UNDER ANY CONDITION, is a Crime.”
Beyond mere data destruction, Iran has developed more sophisticated infrastructure hacking abilities, too. In 2014, the security firm Cylance revealed that an Iranian state-sponsored hacking group known as Cleaver had broadly penetrated critical infrastructure targets from Pakistani airports to Turkish oil and gas companies to US chemical industry targets and energy firms. “We believe that if the operation is left to continue unabated, it is only a matter of time before the world’s physical safety is impacted by it,” the Cylance report read.
Now, FireEye’s Hultquist warns the end of the nuclear deal will likely trigger a restart of those intrusions. “We anticipate with the agreement going away that the Iranian actors will at least start probing critical infrastructure again, and start on the path toward attack capabilities in the West,” he says.
Some still-unconfirmed signs suggest that Iran may be developing the ability to not only disrupt critical infrastructure with cyberattacks, but to destroy it. A highly sophisticated malware known as Trisis or Triton hit Saudi Aramco last year, and is designed to manipulate the company’s physical safety equipment, with potentially lethal results. (Instead it merely caused a plant to shut down.) That attack hasn’t been tied to Iran, though its Saudi targeting has made the country the first suspect—and would hint that Iran’s technical hacking abilities are further along than anyone had otherwise seen.
All of that suggests that Iran may have quietly grown into a serious threat to any enemy nation that it can reach via the internet. And now that the last three years of tense peace appears to be ending, its list of fair-game targets may once again include the United States, too.