The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: U.S. should brace for Iran to cross red lines in cyberspace, experts warn

with Tonya Riley


The U.S. must brace for Iran to launch bold cyberattacks designed to cause major financial damage or threaten American lives as retaliation for the killing of one of its top generals, cybersecurity experts say. 

Security experts tell The Cybersecurity 202 that Iran may be willing to cross dangerous boundaries in cyberspace: For instance, they warn, Iranian hackers could launch attacks that shut down electricity for some Americans, destroy important financial records or disrupt hospital or transportation systems in ways that threaten lives. 

“We’re in a more escalated situation than we’ve been in the past, and there are some serious questions about where the red lines are,” John Hultquist, director of intelligence analysis for the cybersecurity company FireEye, told me. “They may not have a problem with people getting hurt at this point.” 

Experts are also warning Iran could launch widespread attacks against U.S. companies that encrypt their information and hold it for ransom or target U.S. government contractors to punish them for working with the Trump White House. Or they might target U.S. allies in the Middle East or U.S. diplomatic targets abroad, as my colleagues Tony Romm, Isaac Stanley-Becker and Craig Timberg reported

“We’re definitely in new territory,” Robert M. Lee, founder of the cybersecurity firm Dragos, which protects major industrial systems, and a former National Security Agency official, told me.

Iran has routinely tested the boundaries of what it could get away with in cyberspace, including pummeling U.S. banks after the Obama administration imposed new sanctions in 2012 and hacking control systems at a New York dam in 2013. It also allegedly wiped data from tens of thousands of computers at the Saudi state oil company Aramco in 2012 in one of the most destructive digital attacks ever launched. 

But it's always stopped short of launching the most serious attacks on U.S. targets. Experts fear it may soon abandon this restraint since the killing of Quds Force Commander Maj. Gen. Qasem Soleimani who the Trump administration charged was planning major attacks against U.S. targets.

Still, there are limits to Iran's capabilities. Lee says Iranian hackers aren’t sophisticated enough to launch an attack that could affect the whole nation; shutting off large portions of the electrical grid is not the true concern here. But they could disrupt electricity on a smaller scale, for instance, by targeting a U.S. city or portions of it. That could succeed by prompting widespread fear about a larger attack and, possibly, draw the U.S. into an even broader conflict by triggering an outsize response. 

“It’s really hard to do these attacks, and you shouldn’t expect to see major blackouts across the U.S. as a whole,” Lee said. “My concern is that they’ll get a small win and we’ll overreact.”

Iranian hackers have gained access to U.S. industrial companies’ computer networks in the past, Lee told me, but there’s no public evidence they’ve launched destructive hacks once they’re in there.

Hultquist made a similar point on Twitter:

Government officials are also sounding alarms. Just hours after Friday's U.S. airstrike that killed Soleimani, the Department of Homeland Security’s top cybersecurity official, Chris Krebs, warned U.S. businesses to raise their defenses against Iranian hacks. 

By Saturday evening, Krebs’s agency was also monitoring the hack of a minor government website run by the Government Publishing Office, which was defaced with propaganda for Iran’s Islamic Revolutionary Guard Corps. There’s no confirmation tracing the hack to the Iranian government, agency spokeswoman Sara Sendek told me. 

Sen. Gary Peters (Mich.), the top Democrat on the Homeland Security Committee, also urged DHS to ramp up preparations for an Iranian cyberattack and called on the White House to brief Congress on its plans. 

Tensions ratcheted up dramatically over the weekend with Iran suspending its commitments under the 2015 nuclear deal. Trump warned that if Iran took military action against the U.S., he would target Iranian cultural sites, which would constitute a war crime under international law. 

Iran may want to delay any damaging cyberattacks until it’s clear how far the conflict will escalate, experts say. That’s especially likely because most highly damaging cyberattacks require months of advance work to surreptitiously break into a company’s computer networks ⁠— and attackers can only strike once before they’re discovered and kicked out. 

“Iran will definitely use everything they have at their disposal eventually, but I don’t think a major cyberattack right this second makes sense,” Jake Williams, founder of the cybersecurity company Rendition Infosec and a former National Security Agency official told me. “Every piece of malware Iran uses now removes a bullet they can fire later to have a greater effect.”

There’s also a possibility, however, that Iran will be extra careful about crossing red lines with a cyberattack out of fear the Trump administration will retaliate much more aggressively than expected.

The Obama administration was wary of escalating hacking conflicts or of responding with military force, preferring to rely on indictments, sanctions and diplomatic tools. The Trump administration, however, has been much less predictable. Already on Sunday, Trump was warning that his administration might respond to Iranian attacks “in a disproportionate manner” another possible violation of international law.  

“All the lines are completely obliterated with this administration, and you don’t know how they’re going to react,” said Tony Cole, chief technology officer at Attivo Networks. “So [Iran] is going to have to tread carefully.”


with Tonya Riley

PINGED: Iran could also respond with disinformation operations on social media. 

Researchers have already spotted a surge in suspicious posts drumming up pro-Iran sentiment, as Tony, Isaac and Craig report. Some accounts on Instagram started tagging the White House in images featuring flag-draped coffins, for example. Bogus claims of an additional airstrike against an Iraqi air base were also spreading on Twitter and the messaging app Telegram.

In other cases, nonpolitical social media accounts were repurposed for coordinated anti-U.S. messaging after the attack, the Atlantic Council’s Digital Forensic Research Lab director Graham Brookie told my colleagues.

The activity echoes previous Iranian information operations. Facebook and Twitter have taken down thousands of pages and accounts engaging in inauthentic pro-Iran behavior over the past two years.

PATCHED: U.S. military services are banning their members from using TikTok following a warning from the Pentagon last month that the Chinese-owned social media app poses national security risks. The Air Force and Coast Guard confirmed their members are banned from downloading the app, Ben Kesling and Georgia Wells at the Wall Street Journal reported Friday.

That followed similar crackdowns by the Navy and Army. The U.S. Marine Corps is also banning the app, the New York Times's Neil Vigdor reported

Pentagon officials fear that troops using the Chinese-owned app could be unwittingly sharing sensitive information, such as their location, with the Chinese government, a spokesperson told my colleagues Tony Romm and Drew Harwell. Members of Congress have also raised concerns that the app could be compromising Americanspersonal data.

TikTok has repeatedly rebuffed cybersecurity concerns, saying that U.S. users’ data is not stored in China and would never be shared with Beijing.

PWNED: Microsoft took down over 50 websites used by suspected North Korean hackers after obtaining a U.S. court order last week, the company announced.

North Korean hackers were using the sites to attack employees at think tanks, universities and organizations focused on nuclear proliferation, the company said. Most targets were based in the United States, Japan and South Korea. It is unclear how many people the hackers successfully compromised using the network of sites.

This is the fourth time Microsoft has used a U.S. court order to take over domains used by nation-state hackers. Previous efforts targeted hacking groups affiliated with China, Russia and Iran.


— Cybersecurity news from the public sector:

‘Shattered’: Inside the secret battle to save America’s undercover spies in the digital age (Yahoo News)

FBI warns U.S. companies about Maze ransomware, appeals for victim data (CyberScoop)

FCC says it will accept comments until February 3 on Huawei, ZTE security risks (Reuters)


— Cybersecurity news from the private sector:

UK investigates whether cyberattack led to stock exchange outage (Engadget)

Travelex suspends services after malware attack (TechCrunch)

Ghosts in the Clouds: Inside China’s Major Corporate Hack (Wall Street Journal)


— Cybersecurity news from abroad:

Austria suspects foreign state behind cyberattack on ministry (Reuters)

WSJ News Exclusive | U.K. Examines if Cyberattack Triggered London Stock Exchange Outage


Coming up:

  • The Committee on House Administration will hold a hearing entitled “2020 Election Security - Perspectives from Voting System Vendors and Experts” at 10 a.m. on Thursday.