How Big a Threat Are Iranian-Backed Cyber Attacks?

To be clear, in this country, this is still the stuff of B-list thrillers. As Alex K. Jones, who chairs the department of electrical engineering and computer science at Syracuse University, told me, the Iranians have not unleashed what he called a Hollywood-style attack because it’s unlikely that they have the capacity to do so. (Another possible explanation is that launching a cyberattack on a major U.S. city would be an act of war that could invite an unprecedented response.) Even so, a major attack is not necessary to inflict pain. The intrusion into the industrial P.L.C. controllers mentioned in the CISA advisory resulted in business disruptions and financial losses. And it was only one of scores of hacks that, according to a number of cybersecurity firms, have been carried out, both in the lead-up to the conflict and during it. These have included distributed denial-of-service attacks, in which hackers unleash an army of bots from millions of I.P. addresses to overwhelm a server with internet traffic in order to crash the websites of companies, government agencies, and the military, causing chaos, friction, and loss of services, and at least one hack in which a health-care organization had its data held hostage for ransom. “We don’t live in a world where there is not going to be an impact on U.S. citizens at home,” James Turgal, a retired executive assistant director to the F.B.I. who is now the vice-president of Optiv, a cybersecurity consultancy based in Denver, told me. “From a cyber perspective, we’re very early on.”

In fact, weeks before the first Israeli and U.S. bombs were dropped on Iran, “threat hunter” researchers from Symantec and Carbon Black, two cybersecurity firms that are part of Broadcom, reported that the hacking group Seedworm had infiltrated the networks of an American airport, a bank, and a U.S. software company that does business in Israel as a defense and aerospace contractor. The researchers wrote that, because Seedworm already had “a presence on U.S. and Israeli networks prior to the current hostilities,” the group was in “a potentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations could still be vulnerable to attack.” Bombs detonate once, but, unless cyber vulnerabilities are patched, they can remain available to malicious actors.

Seedworm, which also goes by the names MuddyWater, Static Kitten, and Mango Sandstorm, among others, is, according to the F.B.I and CISA, a front for the Iranian Ministry of Intelligence and Security (MOIS). Employing such proxies is a common feature of state-sponsored hacking: these groups obscure a regime’s involvement and offer plausible deniability. To actually track “some guy on a keyboard in Tehran, at a particular I.P. address, at a particular moment, is very difficult,” Turgal explained, which then makes attribution challenging and retaliation tricky.

On March 11th, twelve days into Operation Epic Fury, the Handala Hack Team, which, according to the Justice Department, is another MOIS front group, allegedly unleashed a “wiperware” attack on Stryker, a Michigan-based global medical-technology company, causing disruption on thousands of devices worldwide. A post on X, apparently from Handala, stated, “We announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success.” Though no one was killed in the Stryker attack, some surgeries had to be postponed, implants could not be delivered to patients, and the company’s share price plummeted.

While disrupting the business of an American multinational company may seem a pallid response to the destruction of an Iranian primary school where more than a hundred children were killed, such asymmetric attacks in the physical and digital realms have been a feature of this conflict. As Israel and the U.S. were bombing Iran, Iran was not only attacking Qatar, the United Arab Emirates, Saudi Arabia, and other Arab states; it was launching cyberattacks against American allies in Europe and companies across the Middle East in an effort to pressure the American leadership to cease the attacks. Iran has also conducted drone strikes that damaged data centers in the region that are owned by Amazon Web Services, which operates the world’s largest cloud platform—high-value targets with major financial and operational ramifications. Alexander Leslie, a government-affairs senior adviser at the threat-intelligence firm Recorded Future, wrote in an e-mail that “Iran’s strength has long been persistence, coercive signaling . . . and techniques that create real disruption without needing exotic capabilities.”