Tehran-linked hackers are stepping up digital reconnaissance and preparing for potentially disruptive cyber activity following recent U.S. and Israeli strikes on Iran, cyber intelligence firms warn.
The coordinated strikes and escalating tensions across the broader Middle East are setting the stage for a renewed phase of Iranian cyber operations, including espionage and possible attacks on U.S. critical infrastructure, they say.
CrowdStrike has “not observed large-scale state-sponsored cyber campaigns” but is seeing “a surge in claimed activity from Iran-aligned and sympathetic hacktivist groups, including assertions of disruptive actions such as [denial-of-service] operations, defacements and alleged interference across targets in the Middle East, the United States and parts of Asia,” said Adam Meyers, the firm’s head of counter adversary operations.
Denial-of-service attacks seek to overwhelm a website with artificial traffic and knock it offline.
At this point, much of the publicized hacks are claim-driven, but critical infrastructure and financial sector firms “should remain vigilant for follow-on activity that moves beyond nuisance-level disruption into more coordinated or destructive operations,” he said.
“We expect Iran to target the U.S., Israel, and Gulf Cooperation Council (GCC) countries with disruptive cyberattacks, focusing on targets of opportunity and critical infrastructure,” said John Hultquist, the chief analyst at Google’s Threat Intelligence Group.
That said, Iran “has historically had mixed results with disruptive cyberattacks, and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact,” he added. “Though they can have serious impacts on individual enterprises, it’s important to take their claims with a grain of salt.”
Industry research has previously documented these theatrics.
So far, Recorded Future, another threat intelligence firm, has “not observed any targeting of U.S. government agencies or private sector critical infrastructure in the U.S. attributable to Iranian threat actors,” according to Alexander Leslie, a firm threat analyst.
“It is important to note that Iranian cyber operators are likely in a defensive posture at the moment, and widespread internet blackouts in Iran amplify our lack of visibility,” he added. “I also note that Iran relies heavily on cyber proxies to augment its campaigns, but so far, the retaliation has been muted.”
U.S. officials said Monday the Iran operation was in its initial phases, with additional forces expected to be deployed to the Middle East amid escalating attacks that risk inflating into a full-scale regional conflict.
Worldwide critical economic infrastructure is now a primary target for Iranian-tied hackers, according to Flashpoint findings emailed to Nextgov/FCW. Pro-Iranian hacktivist groups claimed to have breached a major Jordanian grain silo company’s control systems, including alleged manipulation of temperature controls and weighing systems, Flashpoint said. It’s not clear if those claims are legitimate.
Every U.S. multinational firm is at risk of being targeted, said Christopher Burgess, a former CIA official focused on cybersecurity, intelligence and technology. “You have to prepare by talking to your personnel in Abu Dhabi. You have to talk to your personnel in Kuwait. Your generic safety briefings no longer hold any water.”
“In the United States … we tend to see an event and we go, ‘That can’t happen to us,’ and then we move on,” he added. “But here’s the question I’d ask every company: If your personnel or your offices abroad lose water, power or communications for two weeks, what’s your plan? What’s your plan in the U.S. if that happens?”
The war is expected to test U.S. cyber defenses, which have been significantly impacted in the last year amid broad workforce cuts across the federal government. A further diminished workforce in the Department of Homeland Security, which has not been fully funded for some two weeks, is also amplifying concerns.
The Cybersecurity and Infrastructure Security Agency, the cyberdefense bureau housed in DHS, is operating with a reduced capacity. Some furloughed CISA workers are on standby orders, where they are directed to monitor work communications and prepare to potentially be called in, according to a current agency employee who spoke on the condition of anonymity due to fear of retribution.
“Some in the private sector are surprised that there’s a furlough right now going on at CISA,” said the employee, noting that it’s uncertain when the agency will receive full funding again. “It feels like there’s not a lot of push on either side [of the political aisle] to really come to a budget resolution immediately.”
Some Republicans have used the ensuing conflict to push Democrats to reach a DHS funding deal.
“Because of Democrats’ refusal to fund DHS, the Cybersecurity and Infrastructure Security Agency (CISA) is operating at ~38% staffing,” Tennessee Rep. Matt Van Epps said in an X post that linked earlier reporting from Nextgov/FCW and Defense One. “This is putting our nation’s critical infrastructure at risk, especially considering Tehran’s history of retaliatory cyber attacks.”
DHS Secretary Kristi Noem is expected to testify tomorrow before the Senate Judiciary Committee and may face questions about staffing at the cyber agency.
“I am in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland,” Noem said in a statement to Nextgov/FCW.
“Iranian regime-backed cyber actors continue to pose a serious threat to the United States and our allies, from probing our water utilities to running influence operations that undermine our democracy,” House Homeland Security Committee chairman Rep. Andrew Garbarino, R-N.Y., said in a statement. “CISA and its skilled personnel need to remain fully operational — and paid — to ensure our nation is ready to deter and respond to cyber threats against critical infrastructure across the public and private sectors.”
Editor’s Note: This article has been updated to include remarks from Recorded Future.
