Over the last two years, U.S. banks and government agencies have enjoyed a notable respite from malicious Iranian cyber activity. The timing of this drop-off happens to coincide with the signing of the nuclear deal with Iran in 2015.
Now with U.S. President Donald Trump threatening to walk away from the nuclear deal, cybersecurity experts say it is likely Iran could resume its attacks against Western targets should Trump actually follow through with his threat.
“The story that I’m concerned about now is if the nuclear deal were to fall apart or get rescinded, what would be Iran’s reaction and what would they consider effective retribution against Western targets?” said Adam Meyers, vice president of intelligence at CrowdStrike, a cybersecurity company.
It remains uncertain which approach Trump will take, but whichever way he decides to go, his decision on the nuclear deal will not be made in a vacuum. There could be unintended consequences, particularly in the cyber domain, involving U.S. financial and corporate interests.
For now, the Trump administration is full of mixed messages. As recently as August, the president claimed Iran was not in compliance with the agreement, known as the Joint Comprehensive Plan of Action (JCPOA), but Chairman of the Joint Chiefs of Staff Gen. Joseph Dunford testified to Congress last week that Iran is fulfilling its requirements. He even said the agreement seems to be working.
“The JCPOA has delayed Iran’s development of nuclear weapons,” he said in response to written questions from the Senate Armed Services Committee.
Meanwhile, Trump continues to trash the pact. “The Iran deal was one of the worst and most one-sided transactions the United States has ever entered into,” he said on Sept. 19 at the United Nations General Assembly. “Frankly, that deal is an embarrassment to the United States, and I don’t think you’ve heard the last of it — believe me.”
But behind the scenes, his administration continues to take actions that uphold the deal. Earlier this month, it renewed sanctions relief for Iran, a move that signaled Trump may no longer be looking to blow up the deal.
His administration has until Oct. 15 to notify Congress whether Iran is keeping up its end of the bargain. Trump previously re-certified Iran’s compliance with the deal in July, and Secretary of State Rex Tillerson is reportedly urging the president to do so again.
While the world waits to see what Trump will ultimately do, cybersecurity companies are watching for a potential change in activity from Iran, which has matured its offensive cyber capabilities over the last few years through lots of practice in its regional backyard.
Before the nuclear deal was signed in July 2015, cyberattacks between Iran and the West were front-page news. First, there was the discovery of Stuxnet, a top-secret cyber weapon reportedly developed by the United States and Israel, which was used to sabotage Iran’s Natanz uranium enrichment plant.
Possibly in response to this attack, as well as stepped-up U.S. and European economic sanctions, Iranian hackers allegedly carried out a wave of computer attacks called “distributed denial of service” or DDoS attacks, in 2011 and 2012 against at least 46 major financial institutions and financial sector companies. The Justice Department eventually indicted seven Iranian hackers for the coordinated attacks, which included an attempt to shut down a New York dam.
“These attacks were relentless, they were systematic, and they were widespread,” Attorney General Loretta Lynch said at the time.
Other suspected Iranian cyber activity has included espionage, keeping tabs on dissidents at home and abroad, and probing defense and aerospace companies trying to access technologies that they were denied due to sanctions.
To launch formal negotiations on the nuclear deal, Iran signed an interim agreement in November 2013 with China, France, Russia, the United Kingdom, the United States and Germany. The final agreement was signed in July 2015, paving the way for sanctions on Iran to be lifted as long as it halted its nuclear activities.
Around this time, cyberattacks on Western targets slowed, according to several cybersecurity experts.
“Once Iran decided it really wanted to come to the table and actually negotiate something serious, they naturally took steps in a whole variety of areas to ramp back activities so that they weren’t being so confrontational,” said Michael Daniel, president of the Cyber Threat Alliance, an organization for cybersecurity practitioners to share threat intelligence. Daniel previously served as the cybersecurity coordinator in the Barack Obama administration.
But the nuclear deal was not the only contributing factor to Iran’s changing behavior. It also decided its cyber assets were more useful going after regional targets, Daniel said.
John Hultquist, director of intelligence analysis at the cybersecurity company FireEye, also observed the change in Iranian activity. “It certainly could be the result of detente between Iran and the West,” he said.
But he was also quick to point out that Iran never quit using its offensive cyber capabilities, it just shifted to a more regional focus.
“While that aggressive activity has slowed down in the West, it’s still going on in the Gulf and places like Saudi Arabia,” Hultquist said.
At CrowdStrike, Meyers said he didn’t attribute the drop in cyberattacks against Western targets to the nuclear deal.
“I think what caused them to stop were local issues in Syria and Yemen, and that they refocused a lot of their attention toward those regional issues versus overseas espionage activity,” he said.
For example, there has been a surge in Iranian attacks against Saudi Arabia recently. Saudi Arabia has said it’s worried that it might be hit by “Shamoon 2,” referring to the virus that struck Saudi Aramco, the world’s biggest oil company, in a massive cyberattack in 2012.
The Iranian government has also talked about building its own parallel internet that would provide similar services you’d find on the broader internet, but would allow the government to control the messages its citizens are getting. This might also explain the change in Iranian cyber activity.
“Some of the same resources that might have been used for external targeting might have been leveraged for internal development,” Meyers said.
While offensive attacks against Western targets dropped off, espionage and other activities never completely went away. A September report from FireEye identified a new hacking group believed to be sponsored by the Iranian government, nicknamed APT33, which has been targeting organizations in the aviation and energy industries in the United States, Saudi Arabia, and South Korea.
Hultquist explained that some cyber activity goes on no matter what, and APT33 fits into this category.
“But when geopolitics shift, whenever we inch toward conflict, nations engage their intelligence capabilities in anticipation of that shift or as part of that shift,” he said.
Cybersecurity experts agree that if the United States upends the nuclear deal and sanctions are resumed, Iran would likely seek to inflict some equivalent level of pain.
“One thing about the Iranians is that they are very much believers in proportionality,” said Daniel. “They’re going to want to take actions that they perceive are proportional to what’s being done to them.”
For example, in response to steep economic sanctions, Iran previously targeted U.S. financial systems. This could be the route they choose to take again.
Meyers said that what’s changed over the last five years is that the Iranians have gotten better at what they do.
He said they have learned how to use the same technologies in ways that make them far more effective. He has also observed a change in Iranian hacker communities, which up until 2015 were relatively open, with the only real barrier to entry being the ability to speak Farsi.
“Around 2015, a lot of these forums shut down. A lot of the hackers started ditching their handles. The hacker community became more professionalized and possibly formed closer relationships with the government,” Meyers said. “This ultimately improved their tradecraft.”
Advocates of the nuclear deal think its merits — preventing Iran from gaining a nuclear weapon — speak for themselves. The threat of stepped-up cyberattacks are merely a reminder that a decision to abandon the pact could have unforeseen consequences, and that second- and third-order effects should be part of the planning.
This is particularly true in cyberspace, where “nobody really understands how it all fits together,” Daniel said. It is difficult to launch an offensive cyber capability, and fully know what the downstream effects could be. “The opportunity for miscalculation, unintended escalation, and collateral damage is significant.”
The multilateral nature of the nuclear agreement could make the potential consequences that much worse.
“Notably, this deal is not a bilateral agreement, so if the U.S. breaks it, the ramifications would not only be targeted at the U.S.,” said Nate Fick, CEO of the cybersecurity firm Endgame. “Although the U.S. would bear the brunt of it, the collateral damage would likely be global.”
Kate Brannen is the deputy managing editor of Just Security and a nonresident senior fellow at the Brent Scowcroft Center on International Security at the Atlantic Council. Previously, she was a senior reporter covering the Pentagon for Foreign Policy.
This article was published jointly with Foreign Policy.