Few Signs of Increased Iranian Cyberattacks After Nuke-Deal Pullout

Europe’s continued adherence to the deal may be causing Iran to hold off on new attacks. But U.S. targets aren’t out of the woods just yet.

In this Wednesday, Sept. 20, 2017 file photo, Stuart Davis, a director at one of FireEye's subsidiaries, speaks to journalists about the techniques of Iranian hacking, in Dubai, United Arab Emirates.
AP Photo/Kamran Jebreili
June 5, 2018, 8 p.m.

President Trump’s decision to withdraw from the Iran nuclear deal last month was met with a flurry of speculation that Tehran would use the reversal as a pretext to launch a new round of cyberattacks aimed at crippling portions of America’s critical infrastructure.

But experts from four top cybersecurity firms say that in the weeks that followed Trump quitting the Joint Comprehensive Plan of Action, there’s been no perceptible uptick in activity by Iranian-backed hackers against U.S. or other Western targets.

“We have not seen any ramp-up or acceleration, or changes in [tactics, techniques, and procedures] with those groups,” said Levi Gundert, the head of threat intelligence at cybersecurity company Recorded Future.

Officials from FireEye, McAfee, and Dell’s SecureWorks also told National Journal they’ve yet to detect an increase in Iranian activity—including any preparatory forays against the U.S. electric grid, the transportation or finance industries, or other critical infrastructure. Those types of probing attacks were common before President Obama agreed to the nuclear deal in 2015, but fell off dramatically over the following three years.

“We continue to see the stuff that’s been going on in the [Persian] Gulf, which is still focused on a lot of their critical infrastructure,” said John Hultquist, the director of intelligence analysis at FireEye. “It could be a preparation for disruption, things of that nature. But we haven’t seen it spread into the West yet.”

That’s not to say that Iran is throwing in the towel. Experts continue to anticipate an eventual retaliatory cyberstrike over the White House’s withdrawal from the nuclear deal. But it may mean Iranian leadership is hedging its bets in the hope that European countries still sticking to the JCPOA can be kept in their corner.

“Immediately launching into a series of aggressive actions is probably not a way to demonstrate that you’re a responsible player that somebody wants to make a deal with,” said Michael Daniel, a former special assistant to the president and cybersecurity coordinator under Obama. “Those in the Iranian government that would be sensitive to those kinds of arguments are going to be, I think, arguing for showing some restraint until it becomes apparent that no further diplomatic work with the Europeans would pay off.”

Allison Wikoff, a senior researcher at SecureWorks’ counterthreat unit, said the continued adherence to the deal by America’s European allies “is likely an immediate deterrent.”

“A potential trigger for cyber retaliation could be the reintroduction of more stringent economic sanctions from the U.S., which can be put in place later this summer (August at the earliest),” Wikoff wrote in an email. “These sanctions could limit European Union JCPOA signatories’ business with Iran, to which Iran may respond to the economic hardship with cyberattacks.”

It wasn’t too long ago that Iran was considered a cyber-warfare backwater. But after Iranian-sponsored hackers deleted tens of thousands of critical files at Saudi Aramco in 2012, the country took a seat next to Russia and North Korea as one of the United States’s top adversaries in cyberspace. Follow-on attacks against the U.S. financial system and a Las Vegas casino owned by pro-Israel business magnate Sheldon Adelson further cemented the Islamic Republic’s status as a top-tier cybersecurity threat.

Experts across several cybersecurity firms say Iranian activity that directly targets U.S. interests declined precipitously after the JCPOA was signed in 2015. But now that a new White House has chosen to rip up that deal, there was an expectation that Iran would return to its old ways.

It’s an expectation apparently shared by the U.S. government. According to a report from The Washington Free Beacon, on May 22 the FBI sent a warning to U.S. businesses that Iranian-sponsored hackers could target their firms “in response to the U.S. government’s withdrawal from the [JCPOA].” An FBI spokeswoman could not comment on specific cyber alerts issued by the agency, but did not dispute the authenticity of the report.

It’s not clear why cybersecurity professionals have failed to detect an increase in activity around U.S. targets. Iran has responded rapidly to the JCPOA withdrawal in other theaters, reportedly backing a massive Taliban assault against targets in western Afghanistan in response to the decision.

Raj Samani, the chief scientist at McAfee, noted that private security firms won’t always be able to directly attribute attacks undertaken by well-trained and persistent hackers backed by a nation-state.

“Governments are in a more effective position to make such attribution claims, given their ability to combine technical evidence with evidence from traditional intelligence sources available only to state intelligence services and law enforcement,” Samani said.

There’s also a sense that Iranian leadership simply hasn’t had enough time to retool its cyber operations and pick a particularly juicy U.S. target. “I don’t expect the ship to turn overnight,” said Hultquist, adding that it could be several months before Iran feels ready to resume operations at a scale detectable by cybersecurity firms.

Gundert noted that it took around four months for Iranian hackers to begin targeting American banks after President Obama applied tougher sanctions on the country in 2012. “That seems to be a relatively consistent time frame,” he said, “[and] in terms of a response, I view that as a quick response.”

But Gundert is also open to the possibility that Iranian leadership is holding off in a bid to strengthen the European push to keep remnants of the deal intact and ward off crippling U.S. sanctions later this summer. It could be any sanctions resulting from the JCPOA pullout—and not the withdrawal from the deal itself—that triggers an aggressive Iranian response in cyberspace.

Should that happen, experts worry the country will deploy the recent experience gleaned from infrastructure attacks against Saudi Arabian and other Middle Eastern targets to great effect in the United States.

“If things continue to deteriorate, then a very logical, straightforward response from the Iranians would be to use their cyber-capability,” Daniel said. “It’s something they’ve invested heavily in developing, they’ve got some very experienced operators—because they’ve been operating against the Saudis, the Israelis, and others in the Middle East—and it’s a tool that’s very asymmetric and favors smaller actors like the Iranians.

“If there’s no sort of strategic advantage to holding off, then they’re going to do that,” he said.

What We're Following See More »
Trump Signs Border Deal
1 weeks ago

"President Trump signed a sweeping spending bill Friday afternoon, averting another partial government shutdown. The action came after Trump had declared a national emergency in a move designed to circumvent Congress and build additional barriers at the southern border, where he said the United States faces 'an invasion of our country.'"

Trump Declares National Emergency
1 weeks ago

"President Donald Trump on Friday declared a state of emergency on the southern border and immediately direct $8 billion to construct or repair as many as 234 miles of a border barrier. The move — which is sure to invite vigorous legal challenges from activists and government officials — comes after Trump failed to get the $5.7 billion he was seeking from lawmakers. Instead, Trump agreed to sign a deal that included just $1.375 for border security."

House Will Condemn Emergency Declaration
1 weeks ago

"House Democrats are gearing up to pass a joint resolution disapproving of President Trump’s emergency declaration to build his U.S.-Mexico border wall, a move that will force Senate Republicans to vote on a contentious issue that divides their party. House Judiciary Committee Chairman Jerrold Nadler (D-N.Y.) said Thursday evening in an interview with The Washington Post that the House would take up the resolution in the coming days or weeks. The measure is expected to easily clear the Democratic-led House, and because it would be privileged, Senate Majority Leader Mitch McConnell (R-Ky.) would be forced to put the resolution to a vote that he could lose."

Where Will the Emergency Money Come From?
1 weeks ago

"ABC News has learned the president plans to announce on Friday his intention to spend about $8 billion on the border wall with a mix of spending from Congressional appropriations approved Thursday night, executive action and an emergency declaration. A senior White House official familiar with the plan told ABC News that $1.375 billion would come from the spending bill Congress passed Thursday; $600 million would come from the Treasury Department's drug forfeiture fund; $2.5 billion would come from the Pentagon's drug interdiction program; and through an emergency declaration: $3.5 billion from the Pentagon's military construction budget."

House Passes Funding Deal
1 weeks ago

"The House passed a massive border and budget bill that would avert a shutdown and keep the government funded through the end of September. The Senate passed the measure earlier Thursday. The bill provides $1.375 billion for fences, far short of the $5.7 billion President Trump had demanded to fund steel walls. But the president says he will sign the legislation, and instead seek to fund his border wall by declaring a national emergency."


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.