Supported by
Iran’s Military Response May Be ‘Concluded,’ but Cyberwarfare Threat Grows
Cybersecurity experts are seeing malicious activity from pro-Iranian forces, and warning that Iran has the capacity to do real damage to American computer systems.
WASHINGTON — Iran’s declaration on Wednesday that a missile attack on Iraq had “concluded proportionate measures” against the United States in response to the killing of its most important general may amplify the Trump administration’s attention on computer systems as the next battlefield in its showdown with Tehran.
Cybersecurity experts and government officials are already monitoring an uptick of malicious activity by pro-Iranian hackers and social media users that they believe are harbingers of more serious computer attacks from Tehran, including possible efforts aimed at destroying government databases.
“Iran has the capability and the tendency to launch destructive attacks,” said Christopher C. Krebs, the director of the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s computer security arm. “You need to get in the head space that the next breach could be your last.”
A battle cloaked in computer systems is more in keeping with Iran’s history of attacking the United States and its allies by clandestine means or through proxies. And mischief-making has already begun. In recent days, hackers have defaced government websites and pursued divisive disinformation campaigns on social media. Members of Iran’s Miqdad Cyber Base have used official state texting channels to threaten retaliatory strikes on the United States and Israel after the targeted killing of Maj. Gen. Qassim Suleimani.
The cybersecurity firm CrowdStrike warned customers in an alert obtained by The New York Times that it observed hackers supporting Iran’s Islamic Revolutionary Guards Corps deface local websites boosting the cities of Minneapolis and Tulsa, Okla., with images honoring General Suleimani. Over the weekend, hackers claiming to be associated with Iran replaced the home page of the Federal Depository Library Program, a division of the Government Publishing Office, with a doctored image of a bloodied President Trump getting punched in the face.
An adviser to Iran’s president, Hassan Rouhani, in a series of messages on Twitter, posted a link to Mr. Trump’s properties and said: “Our sole problem is Trump. In the event of war, it is he who will bear full responsibility.”
The public should be prepared for worse, Mr. Krebs said in an interview. Iran has the ability to not only access private-sector and government computers in the United States, but to “burn down the system,” he said.
“This is a capable actor that has demonstrated prior capability in the region,” Mr. Krebs said. “They’re known to be pretty aggressive.”
While most of the activity so far has been limited to anti-Trump threats on social media and government websites, cybersecurity experts have said that true retaliatory attacks could still be coming. A member of a chat group supportive of Iran’s Islamic Revolutionary Guards Corps told members to “await a final decision” from Iran’s leadership before launching attacks. The hackers of the federal library site included a message with their defacement that warned it was “only a small part of Iran’s cyberability.”
Former and current government officials predicted that Iran’s first method of retaliation would be a physical attack. On Tuesday, Iran fired more than a dozen missiles at two bases housing American troops in Iraq. Mohammad Javad Zarif, Iran’s foreign minister, said after the attack that Iran “concluded proportionate measures in self-defense.”
Mr. Trump responded on Wednesday by announcing new economic sanctions against Iran. Jamil N. Jaffer, the executive director of the National Security Institute at George Mason University’s law school, said the Iranians would not want their next move to provoke a large-scale retaliation from the United States. It could be more difficult for the United States to point to the culprit of an attack on computer systems.
“Conducting terrorists attacks and killing people is binary,” Mr. Jaffer said. “On the other hand, cyberattacks can be ratcheted up and down dynamically. As a result, cyberattacks give the Iranians more room in the event they want to engage in a further response.”
Tehran’s abilities are much more advanced than they were in 2009, when a classified United States intelligence assessment concluded that Iran had the motivation to inflict harm but lacked the skills and resources to do so.
Since then, Iranian hackers used data-destroying malware to target 30,000 computers at Saudi Aramco, the world’s largest oil company, destroying Aramco’s data, replacing it with the image of a burning American flag and upending the market for computer hard drives as a result. Iranian hackers took American banks offline in 2013 by flooding them with traffic in a so-called denial-of-service attack.
They also destroyed data on thousands of computers at the casino and resort company Las Vegas Sands Corp., after its chief executive, Sheldon G. Adelson, a Republican megadonor, suggested that the United States bomb Iran.
Mr. Krebs hosted a call last Friday with more than 1,700 members of the private sector and state and local governments, encouraging them to back up their data on storage sites not connected to the internet and to alert security personnel to be on the lookout for signs of breaches in their computer systems. While hackers have conducted attacks for ransom, Mr. Krebs warned that future attacks could simply be to cause mayhem.
Mr. Krebs’s agency serves mainly to advise private companies and local governments of risks before attacks are launched. While the United States government can assist in the event of a breach, private computer security firms and the companies themselves are expected to be able to handle the initial response and rebuild their networks.
Iranian hackers backed off from such destructive attacks in the lead-up to the signing of the Iran nuclear deal in 2015 and afterward. But Iranian hacking units never ceased; they moved to quieter espionage campaigns, with increasing sophistication.
After Mr. Trump backed out of the Iran nuclear deal in 2018, private security experts and American officials braced for a renewed campaign of Iranian computer warfare. At the time, Gen. Keith B. Alexander, the former director of the National Security Agency, told The Times, “With the nuclear deal ripped up, our nation and our allies should be prepared for what we’ve seen in the past.”
Last year, the Department of Homeland Security grew alarmed by a series of successful hackings on the internet’s underlying computer coding, called the Domain Name System. Private researchers at FireEye and other security firms found a connection between the hackers and Iran.
The hackers stole thousands of credentials from telecommunications companies, government agencies and internet infrastructure companies in the United States, Europe and Middle East. Months later, as private researchers noticed an uptick in Iranian hackings, the Department of Homeland Security’s cybersecurity division issued a statement warning that Iran was looking to do more than “just steal money and data.”
The division released a new advisory on Monday night, warning that “Iran and its proxies and sympathizers” have the ability to conduct disruptive computer attacks, espionage and drone attacks. Customs and Border Protection, another arm of the Department of Homeland Security that employs agents at ports throughout the country, has instructed officers to enhance security.
Over the past year, Iranian hackers have been quietly probing American infrastructure and government networks, according to private researchers and the United States Cyber Command, the Defense Department agency responsible for carrying out attacks on computer systems.
Iranian hackers may use their access to destroy databases, or they may choose to try to gain access to the electricity grid that powers Silicon Valley “as a way of saying, ‘You may want to retaliate, but there will be consequences,’” said Suzanne Spaulding, a former under secretary for cybersecurity and critical infrastructure at the Department of Homeland Security. “‘We’re sitting here with a gun to your head.’”
In the past, Iran has used Hezbollah and Hamas for cyberactions, said James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, which gives Iran a degree of deniability should it retaliate with cyberattacks.
It has also had some misfires. In 2016, the Justice Department indicted several Iranian hackers for penetrating the controls of the Bowman Avenue dam in Westchester County, N.Y.
American officials had panicked that the incursion had been at the towering Arthur R. Bowman Dam in Oregon, where a breach could have been catastrophic. Instead, Iranian hackers hit a 20-foot-high structure, where a sudden water release could have flooded the ground floors of some houses, but not much more.
“They didn’t have situational awareness to realize they wouldn’t have any impact at all,” Ms. Spaulding said.
Zolan Kanno-Youngs reported from Washington, and Nicole Perlroth from San Francisco. David E. Sanger contributed reporting from New York.
An earlier version of this article referred incorrectly to the legislative agency overseeing the Federal Depository Library Program, which experienced harassment at the hands of hackers associated with Iran. It is the Government Publishing Office, not the Government Printing Office, a former name for the agency. An earlier version also misstated the location of the Arthur R. Bowman Dam. It is located in Oregon, not Washington State. An earlier version also referred incorrectly to the organization at which James Lewis works. It is the Center for Strategic and International Studies, not the Center for Strategic Studies.
How we handle corrections
Zolan Kanno-Youngs is the homeland security correspondent, based in Washington. He covers immigration, border issues, cyber security, transnational crime and other national security threats. More about Zolan Kanno-Youngs
Nicole Perlroth is a reporter covering cybersecurity and espionage. Before joining The Times in 2011, she reported on Silicon Valley at Forbes Magazine. More about Nicole Perlroth
Advertisement