On 6 January, the US Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued an alert suggesting that malicious cyber activity could be one of the potential ways Iran retaliates for the assassination of Qasem Soleimani, an Iranian Quds Force general, in a US drone attack.
"According to open-source information, offensive cyber operations targeting a variety of industries and organisations—including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defence industrial base — have been attributed, or allegedly attributed, to the Iranian government", read alert AA20-006A.
An altered photograph of a bloodied Donald Trump and a tribute to the Quds Force commander appeared on the website of the US Federal Depository Library Program on Saturday with a message saying: "Hacked by Iran Cyber Security Group Hackers. This is only small part of Iran’s cyber ability!" Western media outlets have attributed the intrusion to "low-level nationalist Iranian hackers".
'Iran May Have Increased Its Cyber Capabilities Since Stuxnet Attack'
Kevin Curran, a professor of cybersecurity at the Department of Computing, Engineering and the Built Environment at Ulster University believes that Soleimani's killing may lead to "a surge in Iranian cyberwar attacks on Western targets".
According to the professor, the potential scenarios may include "a cyber-barrage aimed at civilians e.g. attacking power grids, stopping trains and airline systems, silencing mobile phones and overwhelming sites with traffic and defacement".
Curran presumes that Iran has increased its cyber capabilities since the Operation Olympic Games, a covert and still unacknowledged cyber mission, which envisaged the implanting of Stuxnet malware at the Natanz nuclear plant in 2007.
'The Assassination of Soleimani is a Trap'
Finnish cybersecurity analyst Petri Krohn holds a different stance, insisting that "a cyberattack is the least likely option" that Iran may pick: "Cyberattacks are done in secret, retaliation needs to be public", he underscores.
Krohn ridiculed the fuss over the defacement of the US Federal Depository Library Program website saying that this action cannot be equated to genuine "revenge". Furthermore, he throws into doubt the assumption that the cyber intrusion was conducted by individuals residing in the Islamic Republic.
"I do not think this attack has anything to do with Iran", he opines, adding that the so-called Iran Cyber Security Group Hackers "may actually be some script kiddies in California who oppose Trump and want to punch him in the face".
To explain his point the analyst refers to a similar hacker group called the "Syrian Electronic Army" that defaced a few websites and leaked some hacked documents during the Syrian civil war when Syria was "almost without internet connections". According to Krohn, some of those hackers may have been Syrian expatriates living in the West given the fact that they mainly communicated in English.
The Finnish cyber expert believes that Soleimani's assassination is nothing short of a US trap for Iran aimed at provoking Tehran into overreacting.
"There is much speculation about Iranian retaliation", he says. "All this talk serves the purpose of painting Iran as a terrorist state. The assassination of Soleimani is a trap. It is designed to draw Iran to the same level of lawlessness as the US. If Iran is wise it will not be drawn into this trap".
The US previously attributed a series of cyberattacks to Iranian hackers, which was subsequently denied by Tehran – including:
• DDoS targeting of the US financial sector from late 2011 to mid-2013;
• unauthorised access to the control system of a New York dam in 2013;
• intrusion into the Sands Las Vegas Corporation in Las Vegas, Nevada, and theft of customer data in 2014;
• theft of academic and intellectual property data in a massive attack targeting 144 US universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the US Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund, from 2013 to 2017.
The Shamoon malware attack that took out more than 35,000 computers at Saudi-owned Aramco in 2012 was also blamed on Iran. However, WikiLeaks' Vault 7 revelations cast doubt on the origins of international malicious cyberattacks revealing the Central Intelligence Agency (CIA) could fake the "fingerprints" of a hack to make it look like it came from a foreign agent or country. Besides this, the aforementioned Shamoon appears in CIA files as one of the tools presumably weaponised by the agency.