US, Iran cyber warfare possible post assassination of Iran’s Qassem Suleimani

According to FireEye, the assassination of Qassem Suleimani by the US has increased the likelihood that a decade of cyber-hostilities between the US and Iran could escalate into true cyberwarfare. And with tensions mounting and Iran threatening severe revenge over the killing, concerns have arisen that blowback could come in the form of hacking attacks on critical infrastructure sectors.

John Hultquist, Director of Intelligence Analysis, FireEye

Given the gravity of the operation last evening we are anticipating an elevated threat from Iranian cyberthreat actors. FireEye has launched a Community Protection Event to streamline coordination on this specific threat.

We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere. Prior to JCPOA, Iran carried out such attacks against the US financial sector as well as other businesses and probed other critical infrastructure. Since the agreement and despite the erosion of relations between Iran and the US, Iran has restrained similar activity to the Middle East. In light of these developments resolve to target the US private sector could supplant previous restraint.

Iran has leveraged wiper malware in destructive attacks on several occasions in recent years. Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations. We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.

Lee Foster, Senior Manager, Information Operations Analysis, FireEye Intelligence.

Iran has readily embraced the use of online information operations to support its geopolitical objectives over the past few years, and has refined a vast array of tactics and sophisticated methods that it continues to hone and leverage today.

These tactics have included the creation of large networks of inauthentic news sites designed to amplify pro-Iran propaganda globally and discredit rivals, including the US; the impersonation of influential individuals on social media including political candidates running for office in the US; the creation of fabricated journalist personas designed to solicit interviews with political experts espousing views advantageous to Iranian interests; and the creation of networks of inauthentic social media accounts masquerading as real, politically-inclined individuals, including those based in the US, designed to propagate commentary critical of Iran’s political rivals.

We are already seeing Iranian disinformation efforts by these networks surrounding last night’s strike, and the US should expect that Iranian influence efforts surrounding the US. will increase over the coming days or weeks as political developments evolve.

There are many similarities and some differences between Iran’s tactics in this space and those of Russia, which has received the majority of public attention regarding state-directed information operations. Iran’s efforts, in general, have been more geographically widespread than Russia’s, being directed at audiences in most parts of the globe. They have heavily pushed traditional state propaganda and criticized geopolitical rivals, however, it is often overlooked that, in a manner similar to Russia, Iran has also aggressively sought to use these tactics to directly influence the domestic politics of individual countries, including the US, and to take advantage of and amplify existing divisions between communities for its own ends.