Cyber-Retaliation Possible After U.S. Drone Strike, DHS Warns

As political tensions between the U.S. and Iran have flared over the past year, the risk that state-sponsored hackers will target American governments and infrastructure has increased.

Now, with the Trump administration's drone strike against a high-ranking Iranian military figure, Department of Homeland Security officials are anticipating the possibility of a retaliatory cyberstrike, asking that state and local leaders "brush up" on Iranian cybertactics.  

The killing of Maj. Gen. Qassem Soleimani, a high-ranking and influential figure in Iranian military affairs and political circles, Friday in Baghdad prompted Iran's supreme leader Ayatollah Ali Khamenei to promise a "forceful revenge," according to The New York Times. A country like Iran, with limited means to respond militarily, would likely attempt something within the digital realm, experts have warned.

Chris Krebs, director of DHS' Cybersecurity and Infrastructure Security Agency (CISA), took to social media Friday to reiterate previous warnings the agency had made and to encourage state and local leaders to take necessary precautions.

"Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS," he said via Twitter. 

Krebs also re-issued a statement he had previously made in June which, at the time, warned of a "rise in malicious [Iranian] cyberactivity directed at United States industries and government agencies," attacks that targeted government data through common techniques like spear phishing and password spraying.  

Those TTPs, or Tactics, Techniques and Procedures, have taken a number of forms in the past, including spearphishing attempts to steal documents and intelligence, orinfluence campaigns and fake profiles to spread misinformation, FireEye reports. Now, however, officials are most concerned that hackers may target industrial control systems as a means of causing havoc. 

Indeed, experts worry that ICS — systems that are used to remotely control or manipulate utilities and services — will become a common target for foreign hackers in the future.   

While nothing of that sort is known to have occurred, Iran has recently been tied to a number of domestic cyberincidents, including the 2018 ransomware attack that temporarily crippled Atlanta, for which two Iranian nationals were indicted.  

Ironically, much of the nation's cybercapabilities have been built up as a response to an attack thought to have been perpetrated by the West: that is, the Stuxnet virus, which in 2010 knocked out key parts of the nation's nuclear research program, and is commonly believed to have been engineered by U.S. and Israeli forces. 

U.S. defense officials feel that since then, Iran "has demonstrated a clear ability to learn from the capabilities and actions of others,” establishing a constellation of cyberteams devoted to defensive and offensive activities alike.