Start your day with intelligence. Get The OODA Daily Pulse.
On January 3, 2020, Iran’s Qassem Suleimani, head of the Islamic Revolutionary Guard Corps Quds Force (IRCG-QF) was killed by a US drone strike. Iran’s Supreme Leader Ali Khamenei declared that “harsh revenge” awaits those who led the strike against Suleimani. The military advisor to Khamenei stated that Iran’s response would “for sure be military” and directed against US military sites. It is hard to tell what the full nature of Iran’s response will be, history has shown they have an ability to surprise. However, we assess the most likely response will be state sponsored destructive cyber attacks done in a way that implies they were launched by Iran but still offer some level of ambiguity over source. We also assess increased attacks by hacktivist supporters of Iran.
A key reason for this assessment is our opinion that Iran is very likely hesitant to confront the US with direct military attacks. Their proxies may seek to escalate terror attacks, but this is different from direct military engagement.
Additional information on the Iranian Cyber Threat:
The US Department of Home Security (DHS) on Saturday issued a rare National Terrorism Advisory System (NTAS) alert warning about possible Iranian terror and cyber campaigns in retaliation for the Suleimani strike.
The operational cyber forces of Iran have been exercised for years. A key entity in Iran responsible for cyber war is called “The Cyber Defense Command”, which stood up in 2010. It officially works under the country’s “Passive Civil Defense Organization” in the Iranian Armed Forces. The government is known to contract out many cyber attack functions including development of exploits and sometimes operational attacks.
One of their most famous and costly cyber attacks was the 2012 devastating cyber attacks against Saudi Aramco, which destroyed over 60,000 computers and other equipment. Their forces have grown even more capable since then.
Some famous cyber attacks believed to be run by Iran include:
There are also pro-Iranian supporters that have hacking skills that may operate outside of government control. They are less capable but could execute attacks that put nation’s on escalatory paths. Hackers could draw the US and Iran into a larger cyber war and that could turn into a kinetic war. This is a slippery slope. This type of pro-Iranian hacker is probably the cause of the attack against a misconfigured US government server on 4 Jan 2020 which posted claimed to be part of a coming campaign.
We should also note that there have been documented cases of Russian state-sponsored groups hijacking and using Iranian cyber infrastructure for their attacks. This type of activity adds to the complexity of cyber attacks and can lead to mis characterization and mis attribution of attacks. It is not clear if an attack coming from Iranian instructor is coming from Iran or Russia.
Iranian cyber war groups have skills in espionage and attack. And have been known to use cyber espionage to position themselves for further exploitation and attack. They are known for using a combination of commonly available tools and custom developed code. They also have the skills required to operate as teams where multiple experts are continuously operating to take advantage of situations in dynamic environments. Historically some tactics are favored over others, but the biggest point here is the teams have the skills to alter tactics.
There are actions that all organizations can take to reduce the risk of loss during coming cyber attacks. They include:
For more defensive measures see:
And for more on the Iranian Threat see: