Following the US strikes on Iranian nuclear facilities, the Department of Homeland Security has warned of retaliation in the form of cyber attacks.
A national terrorism advisory system bulletin, issued on Sunday, stated that "hactivists" and Iranian government-affiliated actors are routinely targeting poorly secured US networks and internet-connected devices for disruptive cyber attacks.
Warnings about nefarious cyber activity from Iran and other external actors come as Tehran limits internet access for its citizens. But those who need internet access for cyber attacks can find ways to get online, or are granted access.
Cyber attacks "might be a very tempting kind of direction for them to go,” Kristin Diwan, a senior resident scholar at the Arab Gulf States Institute, said during a panel discussion about the recent US strikes.
“In a way Iran doesn’t have that battlefield supremacy, but this sort of thing, cyber crime or cyber attacks, a kind of subterfuge for the longer term in the overall disruptive battle might be attractive,” she added when asked by The National about the possibility that Iran might prefer cyber attacks.
Hussein Ibish, also with the Arab Gulf States Institute and a columnist for this publication, agreed.
"It would make sense because it would involve deniability and it also wouldn’t cause President [Donald] Trump to go on some chest-beating rampage,” he said, pointing to the ambiguity of digital attacks as opposed to military attacks.
Iran is generally acknowledged in the cyber security community as a major state sponsor of cyber attacks. The country was featured prominently throughout Microsoft's 2024 Digital Defence Report. While many of the mentions in the report referred to political-influence operations and the spread of disinformation, it also touched on other Iranian cyber operations.
“In July 2022, Iran launched a devastating cyberattack designed to cripple Albania’s digital infrastructure,” Microsoft said, noting that Albania was able identify and prevent the threat from causing harm.
During the 2024 US presidential election, the FBI said that it was investigating a claim from Donald Trump's presidential campaign that it was the target of a hack orchestrated by Iran. Iran is also home to two cyber crime groups that have come to be known in cyber security circles as Cotton Sandstorm and Mint Sandstorm.
Microsoft's threat intelligence group describes Mint Sandstorm as an Iran-affiliated group “known to primarily target dissidents protesting the Iranian government, as well as activist leaders, the defence industrial base, journalists, think tanks, universities, and multiple government agencies and services, including targets in Israel and the US”.
It has been widely speculated that Mint Sandstorm was behind the attempted hack and potential breach of communications within Mr Trump's recent presidential campaign, using a method known as “data harvesting”.
In May, an Iranian man pleaded guilty to using ransomware to extort millions from governments and organisations in the US. Sina Gholinejad, 37, admitted to computer fraud and abuse, as well as conspiracy to commit wire fraud.
Ransomware is a type of malware designed to deny users, businesses or organisations access to their data stored on computers or servers. Although not unique to Iranian cyber criminals, as a result of the US strikes on Iran's nuclear sites, one of the biggest cyber threats may come in the form of distributed denial-of-service (DDoS) attacks.
A DDoS is a cyber attack in which perpetrators use co-ordination and several computers to overwhelm a network server with internet traffic, which then prevents users from accessing services and websites. If critical infrastructure such as water or energy facilities are affected by DDoS attacks, millions could be affected.
A report released by NetScout Systems, a provider of cyber protection solutions, indicated that countries such as Israel, Georgia, Mexico and Turkey experienced a major spike in DDoS attacks over the course of the year. “DDoS has emerged as the go-to tool for cyber warfare,” Richard Hummel, director of threat intelligence at NetScout, told The National in April.
