THE KEY

The U.S. must brace for Iran to launch bold cyberattacks designed to cause major financial damage or threaten American lives as retaliation for the killing of one of its top generals, cybersecurity experts say. 

Security experts tell The Cybersecurity 202 that Iran may be willing to cross dangerous boundaries in cyberspace: For instance, they warn, Iranian hackers could launch attacks that shut down electricity for some Americans, destroy important financial records or disrupt hospital or transportation systems in ways that threaten lives. 

“We’re in a more escalated situation than we’ve been in the past, and there are some serious questions about where the red lines are,” John Hultquist, director of intelligence analysis for the cybersecurity company FireEye, told me. “They may not have a problem with people getting hurt at this point.” 

Experts are also warning Iran could launch widespread attacks against U.S. companies that encrypt their information and hold it for ransom or target U.S. government contractors to punish them for working with the Trump White House. Or they might target U.S. allies in the Middle East or U.S. diplomatic targets abroad, as my colleagues Tony Romm, Isaac Stanley-Becker and Craig Timberg reported

“We’re definitely in new territory,” Robert M. Lee, founder of the cybersecurity firm Dragos, which protects major industrial systems, and a former National Security Agency official, told me.

Iran has routinely tested the boundaries of what it could get away with in cyberspace, including pummeling U.S. banks after the Obama administration imposed new sanctions in 2012 and hacking control systems at a New York dam in 2013. It also allegedly wiped data from tens of thousands of computers at the Saudi state oil company Aramco in 2012 in one of the most destructive digital attacks ever launched. 

But it's always stopped short of launching the most serious attacks on U.S. targets. Experts fear it may soon abandon this restraint since the killing of Quds Force Commander Maj. Gen. Qasem Soleimani who the Trump administration charged was planning major attacks against U.S. targets.

Still, there are limits to Iran's capabilities. Lee says Iranian hackers aren’t sophisticated enough to launch an attack that could affect the whole nation; shutting off large portions of the electrical grid is not the true concern here. But they could disrupt electricity on a smaller scale, for instance, by targeting a U.S. city or portions of it. That could succeed by prompting widespread fear about a larger attack and, possibly, draw the U.S. into an even broader conflict by triggering an outsize response. 

“It’s really hard to do these attacks, and you shouldn’t expect to see major blackouts across the U.S. as a whole,” Lee said. “My concern is that they’ll get a small win and we’ll overreact.”

Iranian hackers have gained access to U.S. industrial companies’ computer networks in the past, Lee told me, but there’s no public evidence they’ve launched destructive hacks once they’re in there.

Hultquist made a similar point on Twitter:

Government officials are also sounding alarms. Just hours after Friday's U.S. airstrike that killed Soleimani, the Department of Homeland Security’s top cybersecurity official, Chris Krebs, warned U.S. businesses to raise their defenses against Iranian hacks. 

By Saturday evening, Krebs’s agency was also monitoring the hack of a minor government website run by the Government Publishing Office, which was defaced with propaganda for Iran’s Islamic Revolutionary Guard Corps. There’s no confirmation tracing the hack to the Iranian government, agency spokeswoman Sara Sendek told me. 

Sen. Gary Peters (Mich.), the top Democrat on the Homeland Security Committee, also urged DHS to ramp up preparations for an Iranian cyberattack and called on the White House to brief Congress on its plans. 

Tensions ratcheted up dramatically over the weekend with Iran suspending its commitments under the 2015 nuclear deal. Trump warned that if Iran took military action against the U.S., he would target Iranian cultural sites, which would constitute a war crime under international law. 

Iran may want to delay any damaging cyberattacks until it’s clear how far the conflict will escalate, experts say. That’s especially likely because most highly damaging cyberattacks require months of advance work to surreptitiously break into a company’s computer networks ⁠— and attackers can only strike once before they’re discovered and kicked out. 

“Iran will definitely use everything they have at their disposal eventually, but I don’t think a major cyberattack right this second makes sense,” Jake Williams, founder of the cybersecurity company Rendition Infosec and a former National Security Agency official told me. “Every piece of malware Iran uses now removes a bullet they can fire later to have a greater effect.”

There’s also a possibility, however, that Iran will be extra careful about crossing red lines with a cyberattack out of fear the Trump administration will retaliate much more aggressively than expected.

The Obama administration was wary of escalating hacking conflicts or of responding with military force, preferring to rely on indictments, sanctions and diplomatic tools. The Trump administration, however, has been much less predictable. Already on Sunday, Trump was warning that his administration might respond to Iranian attacks “in a disproportionate manner” another possible violation of international law.  

“All the lines are completely obliterated with this administration, and you don’t know how they’re going to react,” said Tony Cole, chief technology officer at Attivo Networks. “So [Iran] is going to have to tread carefully.”

PINGED, PATCHED, PWNED

with Tonya Riley

PINGED: Iran could also respond with disinformation operations on social media. 

Researchers have already spotted a surge in suspicious posts drumming up pro-Iran sentiment, as Tony, Isaac and Craig report. Some accounts on Instagram started tagging the White House in images featuring flag-draped coffins, for example. Bogus claims of an additional airstrike against an Iraqi air base were also spreading on Twitter and the messaging app Telegram.

In other cases, nonpolitical social media accounts were repurposed for coordinated anti-U.S. messaging after the attack, the Atlantic Council’s Digital Forensic Research Lab director Graham Brookie told my colleagues.

The activity echoes previous Iranian information operations. Facebook and Twitter have taken down thousands of pages and accounts engaging in inauthentic pro-Iran behavior over the past two years.

PATCHED: U.S. military services are banning their members from using TikTok following a warning from the Pentagon last month that the Chinese-owned social media app poses national security risks. The Air Force and Coast Guard confirmed their members are banned from downloading the app, Ben Kesling and Georgia Wells at the Wall Street Journal reported Friday.

That followed similar crackdowns by the Navy and Army. The U.S. Marine Corps is also banning the app, the New York Times's Neil Vigdor reported

Pentagon officials fear that troops using the Chinese-owned app could be unwittingly sharing sensitive information, such as their location, with the Chinese government, a spokesperson told my colleagues Tony Romm and Drew Harwell. Members of Congress have also raised concerns that the app could be compromising Americanspersonal data.

TikTok has repeatedly rebuffed cybersecurity concerns, saying that U.S. users’ data is not stored in China and would never be shared with Beijing.

PWNED: Microsoft took down over 50 websites used by suspected North Korean hackers after obtaining a U.S. court order last week, the company announced.

North Korean hackers were using the sites to attack employees at think tanks, universities and organizations focused on nuclear proliferation, the company said. Most targets were based in the United States, Japan and South Korea. It is unclear how many people the hackers successfully compromised using the network of sites.

This is the fourth time Microsoft has used a U.S. court order to take over domains used by nation-state hackers. Previous efforts targeted hacking groups affiliated with China, Russia and Iran.

PUBLIC KEY

— Cybersecurity news from the public sector:

When hackers began slipping into computer systems at the Office of Personnel Management in the spring of 2014, no one inside that federal agency could have predicted the potential scale and magnitude of the damage. Over the next six months, those hackers — later identified as working for the Chinese
Yahoo News
The FBI is warning U.S. companies about a series of recent ransomware attacks in which the perpetrator, sometimes posing as a government agency, steals data and then encrypts it to further extort victims.
CyberScoop
The U.S. Federal Communications Commission (FCC) said on Friday it will accept public comments until Feb. 3 on its determination that China’s Huawei Technologies Co Ltd and ZTE Corp pose national security risks.
Reuters

PRIVATE KEY

— Cybersecurity news from the private sector:

GCHQ isn't fully convinced the London Stock Exchange failure was due to a glitch.
Engadget
Travelex, a major international foreign currency exchange, has confirmed it has suspended some services after it was hit by malware on December 31. The London-based company, which operates more than 1,500 stores globally, said it took systems offline “as a precautionary measure in order to pr…
TechCrunch
In the breach known as Cloud Hopper, cyberattackers allegedly working for China’s intelligence services broke into cloud companies, including CGI and IBM, to steal volumes of intellectual property and records from scores of companies.
Wall Street Journal

THE NEW WILD WEST

— Cybersecurity news from abroad:

Austria suspects a foreign country is behind a serious cyberattack on information systems at its Foreign Ministry that continued on Sunday, the ministry said.
Reuters
U.K. government agencies are examining whether a trading outage blamed on a software hiccup at the London Stock Exchange in August may actually have been caused by a cyberattack aimed at disrupting markets, according to people familiar with the matter.

ZERO DAYBOOK

Coming up:

  • The Committee on House Administration will hold a hearing entitled “2020 Election Security - Perspectives from Voting System Vendors and Experts” at 10 a.m. on Thursday.