One afternoon in late December, a team of hackers surreptitiously entered the computer network of a western Ukrainian power company, Prykarpattyaoblenergo, and began taking control of critical circuit breakers across the region. Employees watched in horror as the cursors on their computer monitors began moving on their own, opening and executing commands at will. One by one, the hackers took electrical substations offline, injecting malware as they went that rendered the entire power grid inoperable. For several hours, some 230,000 people were plunged back into the Stone Age.
The December 23, 2015, cyberattack, which Ukrainian and American officials later blamed on Russia, is surely top of mind for many national security officials following the U.S. assassination of Qasem Soleimani, the second-most powerful military leader in Iran. The two countries have since backed away from the brink of war. But cybersecurity experts remain deeply concerned about the potential for more clandestine acts of retaliation. Iran, after all, is notorious for its use of asymmetric warfare. In 2018, U.S. officials warned that Iranian hackers had laid the groundwork for extensive cyberattacks on U.S. infrastructure, including electric grids and water plants, as well as healthcare and technology companies. Might they seize the opportunity to attack?
“Based on the attack that we did and the high profile of the individual that was killed in the drone strike, I could see them going after things like energy grids,” said David Harding, CTO and SVP of security company ImageWare Systems. “I could see them going after banking infrastructure. I could see them doing things that would cause large upheaval.”
So far, Iran appears to be pulling its punches. A retaliatory missile strike on a U.S. military base in Iraq, launched last week, appeared precisely calibrated to avoid any casualties. The only known cyberattack was a minor act of digital vandalism, in which Iranian hackers briefly took over and defaced fdlp.gov, a website for the little-known Federal Depository Library Program. “This is only small part of Iran’s cyberability,” the hackers threatened. “We’re always ready.”
Whether the United States is ready is more complicated. Sure, the U.S. military has fearsome offensive capabilities: The Stuxnet computer worm, which was allegedly built in partnership with Israel, is believed to have done massive damage to Iran’s nuclear program, for example. But the U.S. remains vulnerable at home. According to the Department of Homeland Security, the number of reported cyberincidents on federal systems increased more than tenfold between 2006 and 2015, culminating in a data breach at the Office of Management and Budget (attributed to China) that compromised about 4 million federal employees. And while the U.S. has yet to experience a major cyberattack on critical infrastructure, foreign adversaries and various nonstate actors have been probing our defenses. This past summer, three different cybersecurity firms reported observing Iran-linked hackers attempting to gain access to U.S. government targets in what appeared to be the first phase of a cyberespionage operation. More recently, security firm Dragos allegedly observed a password-spraying attack, also linked to Iran, targeting U.S. electric utilities and oil and gas firms.
The worst-case scenario—a cyberconflict in which power grids are shut down, trains derail, and petrochemical plants are turned into bombs—still sounds a bit like science fiction. But it wouldn’t take thousands of deaths for an attack to have devastating consequences. “Losing water or power for even a short while can cause a shock to people’s sense of security,” wrote RAND senior engineer Isaac Porche in a recent report. “Furthermore, any real or perceived tampering with the nation’s electoral process could be equally shattering to Americans’ sense of freedom.”
The next foreign adversary to hijack U.S. elections could go further than hacking emails or weaponizing Facebook. “In our simulations, one of the things that the red team actually came up with, the attack team, is to attack public infrastructure on election day,” said Roi Carmel, chief strategy officer at security firm Cybereason. “The way to make this impact doesn’t have to be attacking the Pentagon.” A multi-agency tabletop simulation scenario hosted by the company last year saw role-playing authorities forced by adversaries to shut down an election, after hackers sabotaged traffic lights, spread false propaganda about candidates and, in a futuristic twist, even hijacked self-driving cars to attack voters.
It might seem far-fetched, but Iranian attacks on U.S. technology are far from unprecedented. In an alert issued this week, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency highlighted a wide range of past Iranian attacks, including denial of service attacks aimed at U.S. banks, unauthorized access to a dam control system in New York state, and data theft at U.S. companies and universities. The agency also pointed to a 2014 attack on the Sands Las Vegas casino company, headed by the pro-Israel and pro-Trump billionaire Sheldon Adelson, in which customer data was stolen and servers wiped. A similar hack in 2012, attributed to Iran, struck tens of thousands of oil giant Saudi Aramco’s computers in 2012, wiping data and displaying the image of a burning American flag.
“Our current assessment is that organizations in the financial, defense, government, and oil and gas sectors are the most likely targets for retaliation activity,” said Adam Meyers, VP of Intelligence at security firm CrowdStrike, in a statement emailed to Fast Company. “We are also monitoring for Distributed Denial of Service (DDoS) activity, as Iran has employed DDoS attacks in the past, as well as other tactics, such as ransomware activity.”
James Lewis, director of the Technology Policy Program at the Center for Strategic and International Studies, suggested that industrial control systems in the energy sector are particularly vulnerable. “The nice thing about pipelines is they can practice this at home,” he said. “They can practice their attacks in Iran and then if they want to use them here in the US.”
A more subtle sustained cyberattack could aim to sow discord by hacking and exposing embarrassing information about corporate and political leaders, as North Korean hackers are said to have done in the Sony Pictures hack in 2014 and Russian hackers are alleged to have done in the 2016 attacks on Democratic email servers. Attackers could also fan the flames of existing controversies to weaken sectors of the U.S. economy, like spreading doubt about various subsectors of the energy industry, suggests Theresa Payton, the CEO of security company Fortalice Solutions and the former White House CIO under President George W. Bush. “The right type of social media manipulation, misinformation, and amplification campaign could wreak havoc on how we think about our production of nuclear energy, coal, solar, wind,” she said. “They could go after all of the above.”
Mutually assured destruction
Though the U.S. has made progress in firming up its cybersecurity, there are still major vulnerabilities that could be exploited, writes Porche. First, many critical infrastructure systems lack effective software security. Second, many such systems are improperly configured and maintained, such as when IT personnel fail to deliver patches for operating systems or don’t use strong passwords. Third, with the growing number of WiFi-enabled devices that comprise the Internet of Things, the number of potential targets has expanded exponentially, and many government agencies haven’t improved their security procedures, sloppily leaving network connections open and failing to implement network segmentation.
The good news, experts say, is that the worst-case scenario is highly unlikely. Iranian military leaders know that a violent cyberattack on civilian targets would likely result in serious retaliation from the United States and its allies. “The strategy that I see right now is they want to retaliate without dragging themselves into an all-out war with the U.S.,” said Carmel, the chief strategy officer at Cybereason.
When Iran first retaliated for Soleimani’s death, for instance, it appeared to pick U.S. military targets in Iraq that did not result in any casualties, effectively capping the cycle of escalation. That same strategic thinking would likely guide Iran in any future cyberattack, Lewis suggested. “If they turned out the lights in an American city, they would probably expect a violent U.S. response,” he said. “If they wipe the data from another casino, they might think they could get away with it.”
Of course, U.S. forces are always hunting for evidence of digital incursions—and are reportedly increasingly willing to use offensive cyberpower to prevent or preempt attacks. “It wouldn’t surprise me if Cyber Command is monitoring the Iranians to see if they should interfere,” said Lewis. In such cases, the costs of electronic snooping—probing U.S. systems for potential vulnerabilities—can escalate quickly.
At the same time, Carmel said, U.S. organizations have begun to invest more in technology to detect and stop cyberattacks sooner rather than later. With enough time and effort, practically any computer system can be hacked, but more robust monitoring and defensive capabilities have limited the number of soft targets, and increased the resources required to cause widespread damage. “America’s a really big country, and so there’s millions of targets, and some of them are really tough,” noted Lewis. “Some of the ones the Iranians would want to hit like the really big banks, they probably wouldn’t have the capability.”
Still, it’s not unlikely that heightened tensions could lead to some sort of digital attack by Iran, even if it’s less than apocalyptic. “They’ll be attracted to a cyberattack because it’s really the only way that they can do something in the continental United States,” said James Lewis, director of the Technology Policy Program at the Center for Strategic and International Studies.
Iran could even enlist independent hackers to penetrate U.S. systems and destroy data, warned Payton, the CEO of Fortalice Solutions. One possibility is that Iranian officials could hire existing ransomware rings to target systems, and either hold data for ransom as usual or simply destroy it, as hackers did in the Aramco attack. “Iran could just pay a group of ransomware-destructionware syndicates to do this work for them,” she noted.
The Cybersecurity and Infrastructure Security Agency has advised companies and agencies to take typical cybersecurity steps like patching software, locking down unused ports, monitoring email for phishing attacks, and limiting account access. And organizations in general have ramped up their security practices in recent years, including sharing data on potential threats, Payton said. “A lot of information sharing has happened between us and our allies,” she added.
But the fact remains that the large number of targets means Iranian hackers may still be able to gain a foothold in critical U.S. systems, just as hackers armed with ransomware have found their way into big companies and government agencies in recent years.
“This is just an escalated situation,” said Harding. “It’s not new.”