Last Saturday, the United States military began its Operation Epic Fury, which saw U.S. Air Force aircraft strike positions in Iran, resulting in the death of Supreme Leader Ali Khamenei along with more than 40 high-ranking government officials.
The United States has also sunk numerous Iranian Navy warships, and there are reports of significant losses of Iranian aircraft.
Tehran has retaliated by launching missile and drone attacks at U.S. military bases throughout the Middle East, striking positions in Kuwait, Bahrain, and Jordan. The Islamic Republic further launched attacks at the Saudi capital of Riyadh, at the Erbil International Airport in Iraq, and at multiple sites in the United Arab Emirates.
Close U.S. ally Israel has intercepted waves of Iranian missiles, with a few getting past the Iron Dome defenses, striking Tel Aviv.
Iran’s Asymmetrical Threat
This week, it is becoming clear that Iran may seek to engage in asymmetrical forms of warfare, notably by carrying out cyber attacks against the United States. Cybersecurity experts explained the threats that the United States may now face and how Americans should respond.
“There is a significant possibility that Iran’s regime would respond to U.S. and Israeli military strikes with large-scale cyberattacks, particularly given its inability to match the conventional military capabilities of the U.S. and Israel. Cyber operations may be viewed by the regime as a more attainable and potentially effective means of retaliation compared to military confrontation,” Hom Bahmanyar, global enablement officer at Ridge Security, Inc., told ClearanceJobs.
“During open conflict, Iran has historically favored asymmetric cyber tactics. These tactics are deniable, disruptive, and psychologically impactful rather than those that are overtly destructive. U.S. critical infrastructure – especially water utilities, energy operators, healthcare systems, telecommunications, the media, and regional government networks – could experience increased attacks,” added Jacob Warner, director of IT at cybersecurity firm Xcape, Inc.
Warner told ClearanceJobs via email that the attacks could include DDoS campaigns, ransomware attacks, spear phishing, and disruptive intrusion attempts aimed at undermining public confidence.
Tehran Had Time to Prepare
The United States wasn’t shy about moving assets into the region, directing fifth-generation stealth fighters, including the Lockheed Martin F-22 Raptor and F-35 Lightning II, to bases in the Middle East, and by deploying two aircraft carrier strike groups (CSG).
However, Tehran may have also been preparing.
“A silent prelude to attacks has been conducted via API probing,” warned Ted Miracco, CEO of mobile cybersecurity provider Approov.
“While much of the public focus is on the military strikes, the digital battlefield has been simmering for weeks. In the fortnight leading up to this weekend’s events, Approov observed a significant surge in highly sophisticated probing attacks against APIs and mobile applications that provide critical communication links for regional governments,” Miracco explained.
Such sophisticated maneuvers were specifically designed to evade initial defenses.
“We have analytical indications that the presumed Iranian actors were scouting and gauging regional infrastructure vulnerabilities,” Miracco added. “Fortunately, by deploying over-the-air (OTA) software updates to the apps and new policies to the cloud, we were able to harden these apps before the probes could turn into full-scale service interruptions or data breaches.”
Tehran may also mix up the playbook and do something even more unexpected.
Denis Calderone, principal and CTO at Suzu Labs, also told ClearanceJobs that Iran’s most capable espionage group, APT34, has gone completely quiet during what has been the most significant crisis in their country’s modern history. “We worry that it might just mean they’re getting ready,” Calderone acknowledged. “Since it appears that conventional military options are looking increasingly to be off the table, cyber is what Iran has left. And even with their own internet down, pre-positioned implants and operators based outside Iran can still execute.”
The targets could include critical infrastructure across the West, as well as financial services, defense, and anything else that Tehran may see as an easy target.
“Groups like CyberAv3ngers have previously targeted poorly secured industrial control systems (ICS),” Warner noted. “This indicates a continued interest in operational technology (OT) environments with low cybersecurity maturity. We might also observe website defacements, data leaks, or influence operations intended to heighten domestic political and social tensions.”
Cybersecurity needs to be especially vigilant.
“Start hunting for anomalous access in your environment now. Don’t wait for something to break,” said Calderone.
Can the U.S. Stop The Cyber Warriors?
Hitting Iran’s cyber networks could be harder than striking its aircraft, warships, or even nuclear program. That will mean it could be very dangerous, regardless of how much the country is pounded, or even if there is a form of regime change in Tehran.
“Depending on who is in power, we could expect a ‘scorched earth’ approach next. Currently, Iran’s domestic cyber infrastructure is in a defensive crouch following the massive digital blackout,” said Miracco.
As they regain control, they will likely move from probing or persistence to destruction.
“This means moving beyond standard DDoS attacks to wiper malware and API-based disruptions that could cripple the mobile apps global users rely on for everything from banking to emergency alerts,” Miracco added. “The sophistication we saw in the Gulf suggests they are capable of striking once they recover their footing. It will only matter who gives the orders, as whatever penetrations they could pull off were completed before the first strike occurred.”
