National Security

Expect Iran to react with cyberattacks now that nuke deal is dying, experts say

U.S. banks, utilities and airports may want to buckle up for retaliatory Iranian cyberattacks following the U.S. pullout from a nuclear accord with Iran, cyber researchers said Wednesday.

Iran has a history of unleashing its hackers at moments of geopolitical tension and has displayed a willingness to deploy broadly destructive attacks.

“It’s American businesses that are likely to bear the brunt of that,” said Levi Gundert, a former Secret Service agent who is vice president of threat intelligence at Recorded Future, a Somerville, Massachusetts, cybersecurity firm.

Iran’s state-run hacking efforts operate in a pyramid structure with some 50 groups of contractors with specialization in various types of malicious code, Gundert said. When the religious leadership of Iran seeks a quick response to international pressure, they sometimes put together teams of skilled hackers who are less ideologically aligned with the devout Islamic regime.

“Those folks aren’t necessarily the ones they trust the most,” Gundert said, and the impact of their attacks “could be a little messier.”

Iranian state hackers backed off a series of probing attempts against U.S. chemical, banking and transportation companies following a nuclear deal reached in 2015 between Iran and a group of world powers that included Britain, France, Germany, the United States, Russia and China. It is that agreement that President Donald Trump abandoned on Tuesday, imposing economic penalties again on Iran and those who do business with the Islamic Republic.

“In the absence of the agreement, that (hacking) restraint could disappear,” said John Hultquist, director of intelligence analysis at FireEye, a Milpitas, California, cybersecurity company that closely follows state-backed hacking around the globe.

Iranian hackers are likely once again to threaten major private corporations and critical U.S. infrastructure, Hultquist said,

Before the nuclear deal was struck, researchers tracked Iranian hackers who had burrowed deeply into critical components of the American transportation network, he said.

“They were in some very sensitive areas of airport networks where they could conceivably cause serious disruption,” Hultquist said, but the malicious code was identified and the hackers were booted off. He declined to identify which U.S. airports were affected., only saying there were “multiple” targets

Iran’s offensive cyber program geared up in 2009, around the time that U.S. and Israeli cyber warriors launched what became known as the Stuxnet worm that caused hundreds of Iranian centrifuges at its Natanz facility to spin out of control and shatter, a major blow to its nuclear program.

Since then, Iran has a pattern of launching cyberattacks to retaliate against efforts to weaken its theocratic regime, Recorded Future said in an analysis released Wednesday and based partly on what it said were interviews with a former Iranian hacker.

When then-President Barack Obama imposed severe financial sanctions on Iran in 2012, including removing the country from the global SWIFT money transfer system, Iran retaliated with cyberattacks on 40 or so major U.S. banks.

“It was a rolling denial-of-service attack, and there were multiple phases. It was, at the time, pretty impressive,” Gundert said. U.S. banks now are “much more resilient” and “have increased their capability demonstrably,” he said.

In August 2012, malware wiped data from around 30,000 computers at Saudi Aramco, the Saudi state oil giant, ruining the machines. Researchers later traced the attack back to Iran.

In 2014, after Sheldon Adelson, the chief executive of the gambling giant Sands Corp., suggested that the Pentagon should test a nuclear weapon as a message to Iran, hackers caused significant damage to networks of Adelson’s company, the Recorded Future analysis said.

U.S. prosecutors took aim at Iranian hackers first in 2016, when they indicted seven Iranians for cyberattacks on a small New York State dam and dozens of banks, and again March 23, when they charged nine Iranians from the Mabna Institute, which the FBI called a front company for hostile cyberespionage, for hacking dozens of U.S. universities.

Yet to be proven is whether Iran was involved in a cyberweapon aimed last August at a Saudi Arabian petrochemical plant. That weapon, dubbed Trisis or Triton, hijacked the plant’s industrial control system but failed to activate in a way that could have caused a massive explosion.

“It really was quite dangerous,” Hultquist said.

Still, Iranian hackers should not be underestimated, Hultquist said.

“Even though on many occasions they’ve demonstrated a lack of technical sophistication, they’ve made up for it with brashness and creativity (and) their willingness to really push the edge,” he said.

Other cybersecurity experts concurred that Iran is likely to retaliate in cyberspace.

“Nation-states, including Iran, have historically used cyberattacks as a low-risk, high-reward tactic for retaliating to political opposition,” Sanjay Beri, chief executive of Netskope, a Los Altos, California, cloud security company, said in a statement.

That retaliation is likeliest to target U.S. business, Gundert said, following directives from Tehran authorities that have demonstrated a willingness to hit U.S. corporations.

“They are facing a government which is not happy about President Trump turning up the economic pain dial and reapplying these sanctions,” Gundert said. “This was a pattern that was very active before 2015.”

President Donald Trump announced Tuesday that the U.S. will not be a part of the Iran nuclear deal. He said the U.S. and its allies couldn't stop Iran from building a nuclear weapon “under the decaying and rotten structure of the current deal.”

Tim Johnson 202-383-6028, @timjohnson4