Inside the Pentagon's cyberwarfare unit, analysts have been closely monitoring Internet traffic out of Iran. Some 6,000 miles away, Israel's elite cyber intelligence Unit 8200 has been running war games in anticipation of Iranian strikes on Israeli computer networks.
Government and private-sector cybersecurity experts in the United States and Israel worry that President Donald Trump's decision to pull out of the Iran nuclear deal last week will lead to a surge in retaliatory cyberattacks from Iran.
Within 24 hours of Trump announcing Tuesday that the United States would leave the deal, researchers at CrowdStrike, the security firm, warned customers that they had seen a "notable" shift in Iranian cyberactivity. Iranian hackers were sending emails containing malware to diplomats who work in the foreign affairs offices of U.S. allies and employees at telecommunications companies, trying to infiltrate their computer systems.
And security researchers discovered that Iranian hackers, most likely in an intelligence-gathering effort, have been quietly probing Internet addresses that belong to U.S. military installations in Europe over the past two months. Those researchers would not publicly discuss the activity because they were still warning the targets.
Iranian hackers have in recent years demonstrated that they have an increasingly sophisticated arsenal of digital weapons. But since the nuclear deal was signed three years ago, Iran's Middle Eastern neighbors have usually been those hackers' targets.
Now cybersecurity experts believe that list could quickly expand to include businesses and infrastructure in the United States. Those concerns grew more urgent Thursday after Israeli fighter jets fired on Iranian military targets in Syria, in response to what Israel said was a rocket attack by Iranian forces.
"Until today, Iran was constrained," said James Lewis, a former government official and cybersecurity expert at the Center for Strategic and International Studies in Washington. "They weren't going to do anything to justify breaking the deal. With the deal's collapse, they will inevitably ask, 'What do we have to lose?'"
Lewis' warnings were echoed by nearly a dozen current and former U.S. and Israeli intelligence officials and private security contractors contacted by The New York Times last week.
"With the nuclear deal ripped up, our nation and our allies should be prepared for what we've seen in the past," Gen. Keith Alexander, former director of the National Security Agency, said in an interview Friday.
Over the years, state-backed Iranian hackers have showed both the proclivity and skill to pull off destructive cyberattacks. After the United States tightened economic sanctions against Tehran in 2012, state-supported Iranian hackers retaliated by disabling the websites of nearly every major U.S. bank with what is known as a denial-of-service attack. The attacks prevented hundreds of thousands of customers from accessing their bank accounts.
Those assaults, on about 46 American banks, detailed in a 2016 federal indictment, were directly attributed to Iranian hackers.
Iranian hackers were also behind a digital assault on the Las Vegas Sands Corp. in 2014 that brought casino operations to a halt, wiped Sands data and replaced its websites with a photograph of Sheldon Adelson, Sands' majority owner, with Prime Minister Benjamin Netanyahu of Israel, according to the indictment.
Security researchers believe the attacks were retaliation for public comments Adelson made in a 2013 speech, when he said that the United States should strike Iran with nuclear weapons to force Tehran to abandon its nuclear program.
But after the nuclear deal with Iran was signed, Iran's destructive attacks on U.S. targets cooled off. Instead, its hackers resorted to traditional cyberespionage and intellectual-property theft, according to another indictment of Iranian hackers filed in March, and reserved their louder, more disruptive attacks for targets in the Middle East.
With the nuclear deal at risk, U.S. and Israeli officials now worry Iran's hackers could retaliate with cyberattacks of a more vicious kind.The Israeli war-game sessions have included what could happen if the United States and Russia were drawn into cyberwarfare between Israel and Iran, according to a person familiar with the sessions but who was not allowed to speak about them publicly.
The United States has a blueprint for what it might expect in Saudi Arabia, where there is growing evidence that Iranian hackers may have been responsible for a string of attacks on several Saudi petrochemical plants over the past 16 months.
The attacks crashed computers and wiped data off machines at the National Industrialization Co., one of the few privately owned Saudi petrochemical companies, and Sadara Chemical Co., a joint venture of Saudi Aramco and Dow Chemical. The hackers used malware -- nearly identical to the bugs used in a similar 2012 Iranian assault on Aramco -- that replaced data on Aramco computers with an image of a burning American flag.
"Iran has upped its game faster than analysts anticipated," said Matt Olsen, former general counsel of the National Security Agency and a former director of the National Counterterrorism Center. He now works closely with energy companies monitoring cyber threats as president of IronNet, a private cybersecurity company.
Olsen added that Iran "is now among our most sophisticated nation-state adversaries. We can anticipate those capabilities could well be turned against the U.S."
A Section on 05/13/2018