The US government has issued a security alert over the weekend, warning of possible acts of terrorism and cyber-attacks that could be carried out by Iran following the killing of a top general by the US military on Friday.
The warning comes in the form of a rare NTAS (National Terrorism Advisory System) alert, of which the US government has issued only a handful since 2011 when the system was put into place.
The alert was published a day after a targeted US drone strike killed Maj. Gen. Qassim Suleimani at the Baghdad airport. The airstrike came after violent protests and attacks on the American embassy in Baghdad by Iran-backed supporters.
Following Gen. Suleimani’s killing, Iranian leadership and several affiliated violent extremist organizations publicly stated they intended to retaliate against the US. The DHS said that “Iran and its partners, such as Hizballah, have demonstrated the intent and capability to conduct operations in the United States.”
Critical infrastructure, a prime target
According to the DHS’ NTAS alert, possible attack scenarios could include “scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.”
“Iran maintains a robust cyber program and can execute cyber attacks against the United States,” the DHS said. “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
Although Acting US Secretary of Homeland Security Chad F. Wolf said that “there is no specific, credible threat against the homeland,” the NTAS alert also warns that “an attack in the homeland may come with little or no warning.”
Cyber-security companies, such as Crowdstrike and FireEye, believe that any future cyber-attacks will most likely target US critical infrastructure, most likely using malware with destructive and data-wiping capabilities, as Iranian state-sponsored hacking groups have done in the past against other Middle East targets.
Iranian hacking groups have repeatedly attacked US targets over the past year, but the primary focus of these attacks has been cyber-espionage (Silent Librarian operation) or financially-motivated cybercrime (SamSam ransomware group).
Joe Slowik, an ICS malware hunter for Dragos, suggests the US should take a proactive approach and preempt some cyber-attacks.
“US (or US-associated elements) could use this period of Iranian uncertainty to disrupt or destroy command and control or infrastructure nodes required to control or launch retaliatory cyber strikes, nullifying such a capability before it could be called into action,” Slowik said in a blog post published on Saturday.
As of the writing of this article, no official cyber response has been reported as originating from a known and established Iranian government-backed hacking group.
However, we’ve seen some low-level cyber-attacks over the weekend, in the form of website defacements. Defacements have been confirmed on around 20 websites.
One official government website, the Federal Depository Library Program (FDLP) portal, was also hit. According to an analysis of the hack, the FDLP portal was running an outdated Joomla install, which is most likely how the hackers executed the defacement.
The attacks appear to have been carried out by unsophisticated actors with no affiliation with the Tehran regime, with a long history of unsophisticated website defacements going back years. The attacks look to be opportunistic, rather than an actual, well-planned operation.
For the moment, most of the fallout from Gen. Soleimani’s killing appears to be limited to the political front. For starters, the Iran government announced today it would no longer abide by the limits contained in the 2015 Iran-US nuclear deal. Further, the Iraqi parliament also voted to kick US troops out of the country.
In the meantime, the US State Department has urged US citizens “to depart Iraq immediately,” as their lives could be in danger and might get caught in the middle of terror plots and kidnappings.