This story was updated at 2:38 p.m. EST.
Following the U.S. drone strike that killed a top Iranian general, cyber experts are sounding the alarm that the "forceful revenge" promised by Iran’s supreme leader could include cyberattacks on American energy companies.
Maj. Gen. Qassem Soleimani was killed early Friday in a drone strike authorized by President Trump. The State Department said the strike was "in response to imminent threats to American lives."
The killing of the head of the Quds Force of the Islamic Revolutionary Guard Corps left many experts guessing what retaliation Iran has in store.
"My money is on the side of something cyber is going to happen or already has happened," said Sergio Caltagirone, vice president of threat intelligence for cybersecurity firm Dragos Inc.
"Industrial infrastructure worldwide … is all very underprepared to defend itself, so it’s extremely vulnerable to disruption," said Caltagirone. "Luckily, our infrastructure is fairly resilient, and so any disruption will be likely minimized."
The public nature of the Friday drone strike — U.S. officials quickly confirmed Soleimani’s killing — means it’s likely that somebody will take credit for an Iranian attack if and when one occurs, Caltagirone said, as a signal to the United States or its allies.
But what a possible cyberattack might look like is anybody’s guess, he said.
The Department of Homeland Security issued a terrorism advisory Saturday noting that "Iran maintains a robust cyber program" and can direct cyberattacks on U.S. targets.
"Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States," DHS said, adding that "an attack in the homeland may come with little or no warning."
Attacking U.S. critical infrastructure would be a significant escalation by Iran, said Nathan Brubaker, who leads the cyber-physical intelligence team at cybersecurity firm FireEye Inc., but he added that "recent events could change Iran’s appetite for such activities."
"While Iran has shown some interest in industrial control systems in target environments, they have not demonstrated the ability or interest in carrying out any type of targeted ICS attack — which would require potentially years of preparation," Brubaker said.
John Hultquist, director of intelligence analysis at FireEye, said that his team expects to see an increase in espionage and "disruptive and destructive cyberattacks against the private sphere." The latest U.S. strike might cause Iran to throw out the previous restraint its hackers showed following the 2015 nuclear deal, Hultquist said. The Iranian government said yesterday that it would no longer limit its nuclear program, effectively abandoning that agreement.
Adam Meyers, vice president of intelligence at cybersecurity firm CrowdStrike, said in a statement that "organizations in the financial, defense, government, and oil and gas sectors" are most likely to be targeted by Iranian state-affiliated hackers. Meyers said they are also watching for distributed denial-of-service and ransomware attacks.
Last month, Microsoft Corp. researcher Ned Moran revealed that the suspected Iranian hacker group known by researchers as APT33, also known as Refined Kitten or Elfin, is growing increasingly interested in industrial control systems, the computers that monitor and control machines in industrial environments like those that underlie the U.S. power grid.
‘Deep’ capability
Following the news of the attack, Cybersecurity and Infrastructure Security Agency Director Chris Krebs said on Twitter that it was "time to brush up on Iranian [tactics] and pay close attention to your critical systems, particularly ICS."
Krebs also linked to a statement given last June detailing the rise of Iranian hackers using destructive cyberattacks that delete computer data, known as "wiper" attacks. In 2012, Iran-linked hackers are believed to have launched a "wiper" cyberattack on Saudi state-owned oil giant Saudi Arabian Oil Co. that effectively destroyed thousands of computers (Cybersecurity Update, Jan. 2).
Scott Aaronson, the vice president for security and preparedness for the Edison Electric Institute, said that the electric power industry is working through the Electricity Subsector Coordinating Council to "ensure vigilance and the ability to respond quickly should the situation evolve."
New York Gov. Andrew Cuomo on Friday directed the state Office of Information Technology Services to check "all cybersecurity details" as a result of the increased tensions, noting that the New York Power Authority is also "conducting checks and patrols on all utilities."
Secretary of State Mike Pompeo said Friday morning on "Fox and Friends" that "there’s always risk of Iranian cyberattacks. Iran has a deep and complex cyber capability, to be sure — know that we’ve considered that risk."