Why Iran won’t rush a cyber response against the US

Article by Robert Scammell – Verdict

The spectre of an Iranian cyberattack loomed large following the assassination of Iran’s general, Qasem Soleimani, but has so far – publicly, at least – gone unrealised.

Tensions between Iran and the US have simmered after Tehran admitted it mistakenly shot down a Ukrainian passenger jet, killing all 176 people onboard.

While the rhetoric on both sides has been dialled down, cybersecurity experts warn that any Iranian cyber-response would likely come in the coming weeks and months – not imminently.

This is in part because Iran, in all likelihood, does not currently have the access to US computer systems that it needs to launch what it deems a commensurable response.

When carrying out a cyberattack, hackers often use a process known as ‘lateral movement’ to move around the target’s network, searching for the key data and assets needed before striking.

“Given the fact that we didn’t see anything in the immediate aftermath that was cyber-related, tells me that they probably didn’t have the assets that they needed to be able to pull off a proportionate response,” says Dave Weinstein, chief security officer for cybersecurity firm Claroty and a formerly of US Cyber Command.

“So what we’ll see I think in the coming weeks and in the coming months is just more and more operations geared at gaining that access.”

Tony Cole, chief technology officer at cybersecurity firm Attivo Networks, agrees.

“Multiple beachheads into our systems should be a major concern for the US government and every CISO as well, because if [Iran is] in, and undetected, we don’t know what damage they can do until they do it,” says Cole, a former member of the US Army.

“Organisations must put instrumentation in place to detect lateral movement to ensure we can detect these beachheads or we’ll likely suffer the consequences down the line.”

Iran cyber response so far

In the immediate aftermath of the deadly airstrike against Soleimani on 3 January, hackers claiming to be “Iran cyber security group hackers” defaced a minor US government website with a picture of a bloodied President Donald Trump.

“We did not see much more than that, but of course it isn’t that simple,” says Malcolm Taylor, director of cybersecurity at ITC Secure and formerly of GCHQ.

“For example, it could be argued that a very strong Iranian cyber response may well have gone unnoticed – and could be in the form of laying down capability for later in case of increased tension with the US.”

This access to US networks, he tells Verdict, would form a “contingency” that could be kept quiet until needed by Iran.

“Intelligence agencies love back pocket material like this,” he adds.

The threat to critical infrastructure

One fear is that Iran may respond with a cyberattack against US physical infrastructure – potentially with fatal consequences.

Tom Kellermann, former cybersecurity commissioner for President Obama, previously told Verdict that Iran cyberattacks against the US “could very much result in a loss of life”.

There is precedent for cyberattacks against infrastructure in the US-Iran conflict, albeit with the roles reversed. In July 2019, Trump ordered a cyberattack that crippled Iran’s missile systems. This was in retaliation for Iran’s physical attacks on oil tankers in the Gulf region and the shooting down of a US drone.

The concern for the US is a cyberattack against its critical infrastructure, such as hospitals, electric grids and transport networks, as well as attacks on its allies in the Middle East.

Such attacks have long been a concern for nation states, yet have fortunately been rare. Is it a credible threat in the US-Iran conflict?

“I certainly don’t want to be alarmist and pessimistic by any means,” says Weinstein, “but I do think it’s likely that we’ll see an uptick in Iranian aggression against critical infrastructure, particularly in North America, but also potentially against US assets in the Middle East and allied countries in the region.”

However, any cyber response from Iran would have to be weighed up against subsequent US retaliation. The US outguns Iran in both the physical and cyber world, and with an unpredictable US leader at the helm, Iran may well decide to opt against any notable cyber response.

“Given how this is playing out between the countries’ respective leaders and within the Islamic Republic itself, the Iranians will be hesitant to compel escalation on the part of the US,” says Weinstein.

“Therefore, if they do in fact have access to US critical infrastructure that could yield a disruptive or destructive effect, it’s questionable whether they will use it.”

Instead, he tells Verdict, Iran’s focus will be on putting itself in the position to respond immediately with a cyberattack, in the event of any further US military action.

“They’ll want to ensure they can respond non-kinetically and demonstrate not just to their own population that there are reprisals for foreign intervention, but to the world that they can project force – globally – through non-kinetic means,” Weinstein adds.

Does Iran really pose a significant cyber threat?

There is, however, an alternative explanation for Iran’s lack of cyber retaliation: it just doesn’t have the cyber capability.

While Iran has significant advanced persistent threat groups that have carried out attacks against the country’s enemies, both Russia and China are considered superior cyber threats.

Many of these groups were created in an effort to bolster Iran’s cyber capabilities following Stuxnet, a destructive malware deployed against Iran’s uranium enrichment facility by a joint US-Israeli intelligence operation.

“Iran does have some significant cyber capabilities,” says Cole. “In fact, they were way behind and Stuxnet was their wake up call to build serious nation-state capabilities. They are behind the Chinese and Russians, however. Those two countries have a lot more experience in this area over a much longer period of time.”

It is also possible that Iran is not as outwardly as aggressive as the US’ “hawkish” view of the Islamic Republic, says Taylor.

“My own view is that Iran’s reach, and threat, is largely internal and regional,” he says. “I struggle to see Iran – perhaps any longer – as a genuine international threat on the level or Russia or China or even North Korea.

“That extends to cyber; the regime’s interests are first and foremost existential and they understand they will not survive a conflict with the US.

“The truth is probably somewhere in between. Iran has limited capability and limited ambition. It would perhaps like to be more expansionist internationally but understands its limitations. To survive is enough, in the end.”