Almost immediately after news broke that the United States had killed Gen. Qassem Soleimani, a high-profile Iranian military commander, in Iraq, John Hulquist’s inbox was already filling up.
"I was getting inquiries within an hour from customers who were concerned about the threat to them," said Hulquist, the director of intelligence analysis at FireEye, a cybersecurity company that works with many Silicon Valley companies.
Cybersecurity professionals across the U.S. expressed a mixture of concern and caution Friday, with many explicitly saying that they are gearing up for potential retaliation from Iran, which has already proven in recent years to be a formidable adversary in the cyber realm.
Iran is considered one of Washington’s primary adversaries in cyberspace, and has shown a willingness to go after government and civilian targets. While Iran has also engaged in social media disinformation campaigns and hackers have defaced websites, cybersecurity experts who spoke with NBC News said they’re particularly concerned about potential breaches of major U.S. companies and government agencies that work with crucial infrastructure.
Michael Daniel, who served as cybersecurity adviser to President Barack Obama, said Iran’s response will be measured, but that companies should be on alert.
"If I were advising the pizzeria down the street, I'd say you're probably not high on the target list, but if you're operating a critical infrastructure or a high-profile, large corporation, I would raise the alert status for your cybersecurity teams," said Daniel, who is now the president of the Cyber Threat Alliance, which pools cyberintelligence from a number of cybersecurity companies, and which has created a dedicated communications channel to discuss Iranian intelligence.
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
It's been more than five years since the last publicly known Iranian cyberattack on an American target, when the Sands Casino in Las Vegas was infected after its owner, Sheldon Adelson, suggested nuking Iran in a speech.
Given recent developments, re-upping our statement from the summer.
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
The Sands hack was what is known as a "wiper" attack, a hallmark of Iranian cyber tactics. Rather than steal a network's files, or hold them for payment like ransomware, wiper attacks simply delete the systems they infect to maximize damage. Such public attacks stopped around the time the Obama administration began negotiating the Joint Comprehensive Plan of Action, which became commonly known as the Iranian nuclear deal.
But Iran has stayed active in the Middle East, regularly attacking industrial targets in Saudi Arabia and other neighboring countries. In December, IBM announced it had responded to numerous wiper attacks from Iran against Gulf nations in 2019.
Iran has also continued efforts to infiltrate American companies through the internet. In June, the Department of Homeland Security, as well as private cybersecurity firms like FireEye, warned of an ongoing Iranian phishing campaign targeting some Americans that began after the Trump administration increased sanctions on Iran.
Chris Krebs, Homeland Security’s top cybersecurity official, recirculated that warning Thursday. There are no publicly known infections from that campaign, though, and no indication of whether the campaign intended simply to spy on targets or to escalate into something more destructive.
Though public attacks against the U.S. from Iran had largely cooled after the JCPOA, the two countries have a long history of cyberwarfare. The best known offensive operation the U.S. ever conducted, working with Israel, was creating and deploying Stuxnet, a complex software that was able to derail Iranian nuclear centrifuges and effectively delay its nuclear weapons research.
On the other side, the U.S. has accused Iran of a series of attacks against American targets over the years, like overwhelming dozens of financial institutions with traffic after the U.S. imposed sanctions on Iran, and accessing online control panels of a dam in upstate New York after Stuxnet.
Cyber operations take time, and if Iran does intend to conduct a retaliatory destructive cyberattack for Soleimani’s death, it will need to first gain a foothold in target networks — something it has in the region more than in the U.S.
“We haven't seen a lot of significant activity that we'd consider preparation for an attack on the U.S.,” Hulquist said. “We have seen that in the Gulf. If they’re going to do that here, they're probably going to ramp that up.”
Daniel said that any cyberattacks from Iran will have to take into account just how much damage will be wrought.
"They have an interesting needle to thread,” Daniel said. “You'd imagine you want something robust enough to satisfy your domestic audiences but not seen as disproportionate to the world community that they want to keep on their side.”
CORRECTION (Jan. 4, 2020, 11:50 a.m. ET): An earlier version of this article misidentified the owner of the Sands Casino in Las Vegas. He is Sheldon Adelson, not Alderson.
Kevin Collier is a cybersecurity reporter based in New York City.