Since the beginning of the year, global attention has focused on U.S.-Iran tensions. In a drone strike in Baghdad on Jan. 3, the Trump administration eliminated Gen. Qassem Soleimani, the commander of the Islamic Revolutionary Guard Corps (IRGC) – Quds Force and Iran’s most senior military official after Supreme Leader Ayatollah Ali Khamenei. In shock and disbelief, Iran carried out a seemingly toothless retaliation, launching a dozen or so missiles against two Iraqi military bases that also house U.S. forces, with no casualties reported among either U.S. or Iraqi personnel. Yet, the retaliatory action was perceived as necessary for domestic political reasons within Iran. Although the Iranian attack on the Iraqi bases marked the end of kinetic action during this crisis, the threat of cyberattacks is likely to intensify in the near to medium term. There are three possible fronts where Iran might look to carry out cyber operations: targeting the energy infrastructure of America’s Gulf allies; deploying malware against U.S. private sector companies, which often have limited defenses; and launching disinformation campaigns that would aim to influence public opinion in both the Middle East and the U.S.
Despite the significant symbolism of killing Gen. Soleimani, one of the Islamic Republic’s best-known and highest-profile figures, the Trump administration considered this operation a tactical move rather than a policy change, with an end goal of a negotiated deal with Iran that includes its nuclear and ballistic missile programs as well as its proxies in the region. Iran’s series of escalatory strikes on U.S. and U.S.-allied targets in late 2019, including one on an Iraqi military base on Dec. 27 that killed a U.S. civilian contractor, created a strategic need for the U.S. to reestablish deterrence vis-à-vis Iran. In pursuit of this goal, and empowered by recent military re-positioning in the Gulf and 2020 electoral realities, the Trump administration eliminated Soleimani. Iran now has a clear understanding that the red line for the U.S. is killing American personnel. This explains why the Iranian retaliation was symbolic, resulting in no U.S. and Iraqi casualties.
Iran’s asymmetric warfare has a strong emphasis on cyber operations as an alternative to conventional war as it creates plausible deniability and does not inflict military or civilian casualties that would violate international law and result in widespread criticism. Thus, moving forward, Iran will likely seek to intensify its cyber operations targeting critical infrastructure, financial institutions, telecommunications, industrial manufacturers, and government agencies, in addition to carrying out disinformation operations aimed at influencing public opinion in the Gulf region and the U.S. Although Tehran’s offensive cyber capabilities are nowhere near those of the U.S., the Iranian leadership has been investing heavily in them and messaging its ability to impose retaliatory costs on its adversaries for cyber deterrence since the 2010 discovery of the U.S.-Israeli cyber worm Stuxnet, which targeted Iran’s uranium centrifuges, reducing the Natanz nuclear facility’s operational capacity by 30 percent.
Iran studied Stuxnet carefully and created its own version, Shamoon, that aims to destroy data and was first deployed in 2012 against Saudi Aramco, rendering over 30,000 devices unusable and causing massive damage. Iran also attacked several U.S. banks in 2011, including Bank of America, JPMorgan Chase, and Citigroup. But in 2017, Iran shifted its cyber strategy toward inflicting physical damage when Iranian hackers targeted the Saudi National Industrialization Company (Tasnee) and Sadara Chemical Company — a joint venture of Saudi Aramco. The attack destroyed hard drives, wiped data, and inflicted severe damage on the companies’ operations that took months to recover from.
In 2019, the tit-for-tat cyber attacks between the U.S. and Iran increased significantly in both scope and frequency in conjunction with conventional operations, and expanded beyond Saudi Arabia to include other U.S. allies in the region. For example, Iranian hackers placed data-wiping malware on the computers of Bahrain’s national oil company (Bapco). The malware only impacted part of the company’s computer system, however, and Bapco was able to continue operating.
Iran’s cyber methods are still relatively simple; whether it is carrying out attacks in the region or the U.S., Tehran has always exploited its targets’ ill-preparedness and lack of cyber awareness. Iranian cyber operations have aimed at espionage and sabotage, as well as to inflict significant financial losses, and have been mostly designed to prevent access to or wipe data.
Based on Iran’s previous cyber operations and its current capabilities, Tehran will likely target major oil and gas companies in the Gulf — pillars of the region’s economy — including ones that have been previously attacked in recent years. These companies have long used vulnerable systems to collect thousands of terabytes of data on drilling and oilfields operations, leaving weaknesses for Iranian hackers to exploit. Iran’s likely oil and gas targets include Saudi Aramco, Bapco, QatarGas, and the Abu Dhabi National Oil Company.
Outside of the Middle East, Iran will likely refocus its attention on U.S. private sector companies, mainly financial institutions that lack adequate cyber defenses and have not stepped up their capabilities. To counter a potential Iranian cyber response in the aftermath of the killing of Gen. Soleimani, the U.S. Cybersecurity and Infrastructure Security Agency quickly released an alert warning the U.S. cyber community of the increased risk of attacks.
Iran, like other state actors, learned from the Russian interference in the 2016 presidential election that influencing the U.S. political landscape only requires basic tactics. Iran has developed a disinformation campaign known as Endless Mayfly, which is a well-established and linked network of online personas and fake media websites. Another Iran-specific disinformation technique, known as “ephemeral disinformation,” utilizes fake social media accounts to impersonate legitimate news sources and authenticate fake stories. Endless Mayfly aims to spread falsehoods and amplify narratives that undermine the legitimacy and morality of U.S. actions. Tehran will likely use its disinformation techniques to target the U.S. presidential elections by raising questions about U.S. foreign policy and creating social tensions.
While the dust has settled following the killing of Gen. Soleimani and the risk of a conventional conflict between the U.S. and Iran has decreased, cyber operations are likely to ramp up substantially in both the Gulf and the U.S. in the immediate future and may come to define U.S.-Iran tensions in 2020.