Until now, most of the discussion about nation-state cyber threats to Western nations has focused on China, Russia, and North Korea.
And it is true that those three countries have notorious cyberattack pedigrees:
- China: experts at stealing intellectual property and R&D
- Russia: infamous for election interference and keeping the U.S. in a "political churn," along with socially engineering our social media against us
- North Korea: known for cyberattacks, like ransomware, which are fundraisers to help it survive amid very tight embargo restrictions and economic sanctions
But now, just days after the U.S. killed a top Iranian official, the idea that Iran could launch a cyberattack in response is being talked about openly.
But what are Iran's cyber capabilities actually like?
Here are three things we know about Iran and cyber warfare.
#1: Iran cyberattacks are now targeting U.S. elections
In the fall of 2019, Microsoft announced a small in scale but high in strategy cyberattack coming from one of the key Iranian hacking groups.
"Today we're sharing that we've recently seen significant cyber activity by a threat group we call Phosphorus, which we believe originates from Iran and is linked to the Iranian government.
In a 30-day period between August and September, the Microsoft Threat Intelligence Center (MSTIC) observed Phosphorus making more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts. The targeted accounts are associated with a U.S. presidential campaign, current and former U.S. government officials, journalists covering global politics and prominent Iranians living outside Iran."
According to Microsoft, they used a rather simple but effective method to gain access to some accounts:
"Phosphorus used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts. For example, they would seek access to a secondary email account linked to a user's Microsoft account, then attempt to gain access to a user's Microsoft account through verification sent to the secondary account. In some instances, they gathered phone numbers belonging to their targets and used them to assist in authenticating password resets."
The New York Times claimed it was President Trump's re-election campaign that was attacked.
#2: Iran believes it can fight super powers in the cyber realm
This second point is really timely right now.
CNN Military Analyst and cybersecurity expert Col. Cedric Leighton (USAF, Ret.) spoke to us at a SecureWorld cybersecurity conference about the cyber threat that Iran poses.
"Iran's story is very interesting. They developed a cyber army that is associated with the Iranian Revolutionary Guard Corps (IRGC). Their main goal in that cyber army is to not only affect computer networks around the world, but also to go specifically into the networks of their neighbors.
The Iranian leadership has boasted about having this capability, that it gives them an asymmetric advantage. They understand the United States would be big threat to them in a normal kinetic war, but they realize there is a degree of vulnerability that they otherwise wouldn't be able to exploit if they didn't have that cyber capability.
If tensions continue to increase with Iran, we can expect more cyber events to originate from Iran and from the IRGC cyber army."
And tensions are rising.
#3: Iran warns its critical infrastructure of cyberattacks by the U.S.
At the same time Iranian cyberattacks on the United States appear to be going after things like elections and could be used for retaliation, Reuters reported on a very interesting angle to this story.
Iranian leaders recently warned industry in Iran to protect itself against the likelihood of a cyberattack by the U.S. and other enemies.
"Gholamreza Jalali, head of civil defense which is in charge of cyber security, called for beefing up security at industrial installations and said: 'Our enemies consider the cyber domain as one of the main areas of threat against nations, especially Iran,' the semi-official news agency Fars reported.
Iran has long been on alert over the threat of cyber attacks by foreign countries. The United States and Israel covertly sabotaged Iran's nuclear program in 2009 and 2010 with the now-famous Stuxnet computer virus, which destroyed Iranian centrifuges that were enriching uranium."
This whole thing reminds us of a promise former Secretary of Homeland Security Kirstjen Nielsen made a couple of years ago:
"I have a newsflash for America's adversaries: complacency is being replaced by consequences."
Both Iran and U.S. should plan for a spike in cyberattacks
Regardless of what Iran and its cyber army decide to do, hackers around the world are likely choosing sides and launching cyberattacks out of spite against both countries, based on the one they disagree with in a given conflict.
We learned about this from cybersecurity data scientist Kenneth Geers after his presentation at a SecureWorld conference. He spent more than 20 years as an intelligence analyst for the NSA, NCIS, and NATO.
"One of the first things to know, for your enterprise, if there is something happening in your city or state, or an election or military tension between your country and another, there will be malware that is on the rise, I can promise you that, within your space."
Geers says the malware is a reflection of human affairs. He knows this from studying peaks that appear in cyberattack data.
"I usually drop malware detections for countries on timelines and just look at where the spikes are. Was there something like an election or political violence? And there usually is.
In the case of North Korea, I dropped it on a timeline and then there was one huge spike in the middle of the year and literally, it was the day after Donald Trump was at the UN threatening to destroy North Korea.
Then I dug deeper and looked at the most serious types of malware on that map and I put them all together, and one of the things I found is that the single highest day for malware detection in North Korea was the very day that Donald Trump was in South Korea. Those are not coincidences."
The heightened concern around this type of trend as a result of tension between the U.S. and Iran led the U.S. Department of Homeland Security (DHS) to issue a special bulletin warning of possible cyber retaliation against the U.S.