Shortly after Iran lobbed two-dozen missiles into two U.S. military bases in Iraq last week, the country's foreign minister tweeted that Iran had "concluded" its "proportionate" response to the assassination of Major General Qassem Soleimani.
Few people in the U.S. military are taking this statement at face value. Iran is likely to step up its harassment of the U.S. using its network of proxy groups in the Middle East and elsewhere. If history is any guide, that response will include cyber attacks against the U.S. government, companies and high-profile individuals—and possibly even the 2020 elections.
"I don't think Iran is finished," says Jon Bateman, a former Iran expert at the U.S. Defense Intelligence Agency and now a fellow at the Carnegie Endowment for International Peace. The door is open, he says, to "follow-on actions that are more covert or more plausibly deniable. Cyber classically is one of the tools."
Although Iran isn't considered to be one of the world's most formidable cyber threats—its program lags behind Russia's and China's—the nation is still capable of causing a great deal of disruption. Its past cyber attacks have been characterized by unpredictability, and it's unclear how much its capabilities have improved in recent years.
It's been a decade since Iran weathered a sophisticated cyber-attack that set its nuclear weapons program back on its heels. The U.S. and Israel are widely thought to have launched an astonishingly intelligent bit of malware called Stuxnet, which was small enough to fit on a thumb drive but smart enough to wend its way like a heat-seeking missile through the internet to penetrate Tehran's heavily-fortified nuclear program. Not only did Stuxnet destroy uranium centrifuges, used to make bomb-grade uranium, it disguised itself by creating a false appearance of normalcy to the engineers who monitored the equipment—until it was too late. "Iran... has demonstrated a clear ability to learn from the capabilities and actions of others," said an NSA report released by Edward Snowden and reported in 2013 by The Intercept.
Heightened tensions in the aftermath of the Suleimani killing have U.S. cyber experts worried about Iran-backed cyber attacks in the months to come.
The big worries
The most worrying cyber threat from Iran are those that could result in a loss of life. In this respect, Iran is capable of using hackers to support some kind of conventional military action, such as a bombing or the assassination of an individual or a kidnapping. It could also use cyber espionage or data collection techniques to monitor the movement of troops, ships or planes in the Middle east and target them for attack.
To conduct a targeted assassination, Iran would need to bring together a variety of streams of intelligence. Infecting mobile phones with malware would give it access to a cornucopia of information—including potentially the real-time whereabouts of targets. A phone hack could provide what experts call "pattern of life" information—where an individual tends to go, and when—that could be used to predict a target's whereabouts. By gaining access to phone calls, emails, text message and contact lists, hackers could even manipulate a target to walk unwittingly into a trap. "Iran has conducted many targeted killings abroad through its proxies and, perhaps, directly," says Bateman. "In 2020 that would include a cyber element. Any state would use that."
Installing malware on a mobile devices is not as hard as you might think. The simplest method is through "social engineering"—tricking targets into divulging compromising information such as passwords or, as Russian operatives did with Clinton campaign chairman John Podesta in 2016, installing malware. In recent years, popular messaging apps WhatsApp and iMessage have had "no-click" vulnerabilities—software bugs allow hackers to implant malware simply by sending a message, without requiring any action on the part of the target. Although these particular no-click vulnerabilities have since been patched, there could be others. Iran is not known to have exploited these vulnerabilities in the past, but that doesn't mean they wouldn't in the future.
Another worry is that Iran could generate disinformation for the purposes of inspiring violence. In recent months, Iran-backed groups have used social media to share false data about the U.S. military—one widely-circulated claim was that U.S. Marines had arrested an Iraqi Parliamentarian, says Bateman. "Actions that kind of foment anger and distrust of U.S. forces and incite violence against them would be concerning," he says.
Although Iran doesn't have the kind of massive misinformation apparatus in place to sow division, the way Russia did in the run-up to 2016, it's conceivable that Iran could seek to influence the 2020 election, if it wanted to, by other means. Iran has good cyber-attack chops in breaking and entering computer systems. These skills could be useful for finding and leaking sensitive information—similar to Russia's hack of the Democratic National Committee in 2016. Security experts suspect that Iran was behind the 2015 attack on the Saudi Ministry of Foreign Affairs, which uncovered confidential diplomatic cables that were subsequently leaked, according to Bateman.
Iran was already caught once trying to hack the Trump campaign. In October, Microsoft reported that a hacker group called Phosphorous, which it believes is linked to the Iranian government, made more than 2700 attempts to identify email accounts and attacked 241 of them, including some associated with a U.S. political campaign. The Wall Street Journal later reported that the campaign under attack was Trump's. The hackers had succeeded in breaking into four accounts, none directly linked to the campaign, before Microsoft shut it down. "This effort suggests Phosphorus is highly motivated and willing to invest significant time and resources engaging in research and other means of information gathering," Microsoft said in its October statement.
Iran could also pose a plausible threat to voting machines. Although the U.S. election system is fragmented, Iran could try to compromise voting infrastructure in key districts, spreading fear, uncertainty and doubt. Undermining Americans' faith in the legitimacy of the election could be even more destabilizing than tampering with the actual vote results.
Experts say that such a tactic would be out of character for Iran, which in the past hasn't shown much interest in the U.S. political election system. From Iran's point of view, there isn't much difference between the policies of the two U.S. parties. "Iran sees a consistent four-decade-long pressure campaign that has bipartisan approval," says Bateman. "But the killing of Soleimani is more personal than previous U.S. actions because of the relationship he had with the Supreme Leader [Ayotallah Ali Khamenei], so I wouldn't rule out something that sought to embarrass or harm Donald Trump personally."
Soft corporate targets
Disrupting corporations is both in character for Iran and well within its current cyber capabilities. Although Iran wouldn't be able to make much headway with tech giants like Apple, Google, Facebook, Amazon and Microsoft, myriad other organizations are vulnerable to hacking, including many banks, chemical plants, oil refineries, pharmaceutical companies, water treatment plans and the electrical grid. It's likely that Iran has been installing malware in such organizations over the past decade, to lie dormant for many years until the right moment. "It's called 'preparing the battlefield'," says Steven Bellovin, a computer-science professor at Columbia University in New York who consults for defense organizations. "You wait, like sleeper cells, until you have three or four chemical plants and a couple of power plants, and then you act."
The malware would presumably activate on a signal from Iran and then proceed to carry out a coordinated cyber attack. This could take many forms. In a power plant, malware could cause turbines to spin so erratically that they eventually broke down--which is exactly how Stuxnet took out the uranium centrifuges--shutting down portions of the grid. In a pharmaceutical company, malware could change dosages in pills coming off a factory line, sowing panic.
It's unlikely that Iran has the capacity for waging a cyber war that results in significant loss of life, experts say. For instance, although it could use malware to damage power plants, it would not likely be able to cause damage on enough of a scale to create a prolonged outage of the U.S. electrical grid. "A real cyber war would destroy critical infrastructure, killing potentially millions of people," says Scott Borg, director of the U.S. Cyber Consequences Unit, a non-profit research group specializing in cyber security. "If we're totally talking about real cyber war, Iran has no capability."
The Stuxnet malware is also not likely to be replicated by Iran's engineers. That weapon required more than just expert programming: it required a massive amount of intelligence gathering to figure out how to launch the virus to the exact computer chips the Iranian nuclear engineers had built into their uranium centrifuges. Iran simply doesn't have the expertise or the resources to develop malware on such a scale, experts believe. "Cyber weapons, or malware, aren't as simple as just picking a gun off the street that someone has dropped and then loading it and firing it yourself," says Bateman. "A cyber operation is a complex sequence of events, in which you need to understand, and penetrate, a specific target and work your way up to a specific effect you'd like to achieve."
One factor working against Iran's cyber capabilities, says Borg, is distrust of the government. Although Iran possesses considerable talent in the realm of computing, most capable hackers in Iran and its diaspora don't see eye-to-eye with the Ayatollah, and therefore they withhold cooperation. "The Iran hacker groups are more moderate politically," he says. "It's hard to acquire technological expertise without becoming a little cosmopolitan and moderate."
"But if you could offend them enough to get them to rally around their leaders," he says, "Iran could become a formidable cyber power in a short time—a matter of months."