For years, US tensions with Iran have held to a kind of brinksmanship. But the drone assassination of Iranian general Qasem Soleimani, widely understood to be the second most powerful figure in Iran, has dangerously escalated tensions. The world now awaits Iran’s response, which seems likely to make new use of a tool that the country has already been deploying for years: its brigades of military hackers.
In the wake of Thursday’s strike, military and cybersecurity analysts caution Iran’s response could include, among other possibilities, a wave of disruptive cyberattacks. The country has spent years building the capability to execute not only the mass-destruction of computers but potentially more advanced—albeit far less likely—attacks on Western critical infrastructure like power grids and water systems.
“Cyber is certainly an option, and it’s a viable and likely one for Iran,” says Ariane Tabatabai, a political scientist at the RAND think tank who focuses on Iran. Tabatabai points to the asymmetric nature of a conflict between Iran and the US: Iran’s military resources are depleted, she argues, and it has no nuclear weapons or powerful state allies. That means it will most likely resort to the weapons that weak actors typically use to fight strong ones, like non-state terrorists and militias—and hacking. “If it’s going to be able to match the US, and compete with and deter it, it has to do it in a realm that’s more equal, and that’s cyber.”
Iran has ramped up its cyberwar capabilities ever since a joint US-Israeli intelligence operation deployed the malware known as Stuxnet in the Natanz uranium enrichment facility in 2007, destroying centrifuges and crippling the country’s nuclear efforts. Iran has since put serious resources into advancing its own hacking, though it deploys them more for espionage and mass disruption than Stuxnet-like surgical strikes.
“After Stuxnet, they built up multiple units across government and proxies, including the Quds that Soleimani led,” says Peter Singer, a cybersecurity-focused strategist at the New America Foundation. Singer argues that while Iran’s hackers had previously been restrained by the need for stealth or deniability, they may now instead seek to send a very public message. “Those forces aren’t equal to those of the US, certainly, but they have the capability to cause serious damage, especially if they’re not worried about attribution, which they may indeed now want.”
The most likely form of cyberattack to expect from Iran will be the one it has launched repeatedly against its neighbors in recent years: so-called wiper malware designed to destroy as many computers as possible inside target networks. Iran has used wipers like Shamoon and Stone Drill to inflict waves of disruption across neighboring countries in the Middle East, starting with an attack in 2012 that destroyed 30,000 Saudi Aramco computers. In 2014, Iranian hackers hit the Las Vegas Sands corporation with a wiper after owner Sheldon Adelson suggested a nuclear strike against the country. More recently, Iran’s hackers have hit private-sector targets in neighboring Gulf states like the UAE, Qatar, and Kuwait, as well as Saipem, an Italian oil firm for whom Saudi Aramco is a major customer.
“From what we know to date of their capabilities, they’re still really focused on IT-targeted wipers.” says Joe Slowik, an analyst at industrial cybersecurity firm Dragos who formerly led the Computer Security and Incident Response Team at the US Department of Energy.
Aside from the Sands incident, Iran has largely restrained itself from launching those wiper attacks on the US itself. But the Soleimani assassination may change that calculus. “Iran has been reluctant to go after Americans and US allied forces such as Australia or NATO,” says RAND’s Tabatabai. “Given the scale of last night’s attack, I wouldn’t be surprised if that’s changed.”