Iran-US conflict may stretch definitions of 鈥榳ar鈥
Conflict between the U.S. and Iran may never reach a stage similar to a traditional war. But risks of both physical and cyber attacks are very real.
Conflict between the U.S. and Iran may never reach a stage similar to a traditional war. But risks of both physical and cyber attacks are very real.
Refined Kitten 鈥 also known as APT33, Elfin, and Magnallium 鈥 is a shadowy hacker group that cybersecurity firms believe works in the interests of Iran. When tensions between Washington and Tehran spiked last June, Refined Kitten launched a broad phishing attack against a range of U.S. government agencies, including the Department of Energy and national labs.
Soon, Refined Kitten and other members of Iran鈥檚 capable cyber corps may be on the offensive again. Iran has vowed revenge in the wake of the U.S. killing of Maj. Gen. Qassem Soleimani in a drone strike on Friday, and digital disruption could well be one of its weapons.
That鈥檚 because Iran has long taken an asymmetric approach to confrontation with America. 鈥淲ar鈥 between the two nations wouldn鈥檛 look at all like the Gulf War or the 2003 U.S. invasion of Iraq. Experts say it would likely be a shifting, hidden sort of conflict spread over the region and the world, in which Iran tries to surprise and strike quickly at its heavily armed adversary, via hackers, proxy militias, or other indirect means.
鈥淭he cyber piece of this is also in Iran鈥檚 immediate tool box,鈥 says Elisa Catalano Ewers, adjunct senior fellow at the Center for a New American Security and a former director for the Middle East and North Africa on the National Security Council staff.
Patience may be part of the Iranian approach as well. Rather than responding quickly to the death of a man widely considered the second most powerful leader in the country, Iran appears to be calibrating its response to the U.S. strike, weighing what it deems might be effective while trying to avoid all-out war with the United States.
鈥淭hey鈥檙e taking their time,鈥 says Ms. Ewers.
Where Iran may respond next
The American decision to target General Soleimani as he left Baghdad International Airport likely shocked the Iranian leadership, say experts. He was not hard to find, as he traveled semi-openly throughout the region, visiting Iranian allies and proxies in Syria, Lebanon, and elsewhere.
Iraq, where the attack took place, is perhaps the first theater where Iran might respond. Iranian-linked Shiite militias in Iraq have been escalating activities in recent months and recently surrounded and attacked the U.S. embassy in Baghdad in response to American airstrikes against fellow militia members across Iraq and Syria.
Iraqi lawmakers were generally outraged at what they saw as a U.S. action that infringed on their sovereignty. On Sunday they approved a resolution calling for the expulsion of American troops in their country 鈥 something which, if carried out, would fundamentally tilt the regional power balance.
Iranian proxies elsewhere in the region might also target U.S. troops and American civilians in response to the Soleimani聽killing. Iran itself could undertake missile strikes on U.S. bases or on Saudi or United Arab Emirates oil facilities. It could increase its naval activity against oil tankers in Gulf waters.
Iran could also completely abandon the 2015 nuclear deal struck with the United States and Europe. On Sunday, Iran said it would feel free to produce as much nuclear material as it wanted,聽though Iranian officials did say they might reverse and reenter the deal in the future.
Iran might also resort to unconventional means of retaliation, such as individual acts of terrorism in the U.S. or Europe, or a ramping up of its shadowy cyber capability against international banks, power plants, or other vulnerable targets.
鈥淲e should be prepared for Iran [to retaliate] across its entire range of asymmetric capabilities, inside Iraq, across the region and elsewhere across the globe where they have active cells,鈥 writes William Wechsler, director of Middle East programs at the Atlantic Council, in an analysis of what comes next.
Rising threats in cyberspace
Since Desert Storm, 鈥渓iterally in every armed conflict, we鈥檝e seen increased action in the cyber domain,鈥 says retired Brig. Gen. Gregory Touhill, adjunct professor at Carnegie Mellon University in Pittsburgh and America鈥檚 first federal chief information security officer, serving from 2016 to 2017.
Cyber warfare has proved particularly attractive to Iran, since a four-decade arms embargo has kept its conventional military from keeping up with other powers in the region.
鈥淏etween 2009-10 and 2019, and often via non-state proxies such as the Iranian Cyber Army, Iran has invested heavily in developing and using cyber capabilities, for propaganda, intelligence exploitation and disruption,鈥 noted a November 2019 report by the International Institute for Strategic Studies (IISS), an international research firm.
Iran鈥檚 cyber capabilities are not on par with, say, Russia and China, cyber experts note. But it has shown increasing ability and willingness to use digital means. As far back as 2005, groups linked to Iran have hacked into websites to deface them with pro-Iranian messages. Over the weekend, hackers altered the website of an obscure U.S. government program to depict President Donald Trump being punched in the face by an Iranian fist.
There鈥檚 no evidence yet this was sponsored by Iran. But as early as 2005, groups linked to Iran have used such web 鈥渄efacements鈥 to get their message out. In 2016, the U.S. indicted seven Iranians for trying to gain control of a 20-foot computerized dam in New York.
Iran has also been linked to the Shamoon wiper virus, which in 2012 was used against Aramco, Saudi Arabia鈥檚 oil company, and destroyed data on at least 30,000 personal computers.
The cyber efforts are often carried out by nonstate partners affiliated with and often funded by Iran, part of a larger pattern of what the IISS report calls Iran鈥檚 鈥渘etworks of influence.鈥 These networks allow Iran to disavow responsibility for the attacks.
That said, the threats of Iranian retaliation following Friday鈥檚 U.S. airstrike killing General Soleimani should not be overblown, cyber experts say.
鈥淚t鈥檚 unlikely that there might be a large-scale financial attack,鈥 says Rahul Telang, professor of information systems and management at Carnegie Mellon University鈥檚 Heinz College. 鈥淚 don鈥檛 think Iran has the technical capability.鈥
Small and midsize businesses that have not assessed their digital risk could see some impact. And specific sectors of the economy might see some events.
Even in cyber warfare, Iran isn鈥檛 likely to go too far for fear of provoking a more devastating response 鈥 either on the ground or in cyberspace.
鈥淎 decision for a cyberattack on the United States will depend on Iranian calculations of the risk of a damaging U.S. response,鈥 wrote James Andrew Lewis, senior vice president at the Center for Strategic and International Studies, in a commentary back in June. 鈥淚f Iran does act in the United States, crippling a casino makes a point [about U.S. vulnerability]. Blacking out the power grid or destroying a pipeline risks crossing the line.鈥
The U.S. doesn鈥檛 only have superior capability in conventional warfare, it also has a decided edge in cyberspace. It was the Stuxnet virus, widely believed to have been developed by the U.S. and Israel, that severely damaged Iran鈥檚 nuclear program.
鈥淲hile there鈥檚 great talk that the Iranians will act, they do so at their own peril,鈥 says Mr. Touhill, the former federal information security officer.