Aside from one disruptive attack, Iran’s cyber retaliation against U.S. and Israeli strikes has been largely missing in action. But there are reasons to believe in the longer term the war will result in an enduring increase in Iran’s capacity and appetite for cyber mayhem.
Last week the Iranian state-backed group Handala did claim responsibility for a wiper attack on Michigan-based medical device manufacturer Stryker, and said the attack was partly in retaliation for the U.S. bombing of an all-girls school in Iran. In recent days Handala and a range of other pro-Iranian groups have also claimed a series of hacks targeting Israeli or Middle Eastern organizations.
Although the Stryker attack looks like it is causing serious disruption at the target company itself, trouble at just a single organization won’t trouble senior U.S. policymakers.
In the short term at least, it looks like Iran’s full hacking capability is being suppressed by deliberate military action. Most recently, Seyed Yahya Hosseiny Panjaki, a deputy minister at Iran’s Ministry of Intelligence and Security (MOIS), which controls hacking groups including Handala, was killed in strikes. It was reported last week that another Iranian man wanted by the FBI for alleged hacking crimes, Mohammad Mehdi Farhadi Ramin, was also killed. The Islamic Revolutionary Guard Corps (IRGC) cyberwarfare headquarters was also struck early this month.
In addition to the disruption and chaos caused by the war, internet access in Iran has been blocked by the regime. That’s not a total show-stopper. Handala migrated to Starlink during Iran’s January shutdown, but suffice it to say that life is not easy for Iran’s state-backed hackers. It’s difficult to see how they could really ramp up destructive attacks against the West anytime soon.
That’s the good news, but only in the short term.
America’s stated goals in this war are, per the White House, to “obliterate Iran’s ballistic missile arsenal and production capacity, annihilate its navy, sever its support for terrorist proxies, and ensure the world’s leading state sponsor of terrorism will never acquire a nuclear weapon.”
Even if these goals are entirely met, barring regime change, we expect that Iran’s leaders will still want to project power overseas and will reach for whatever tools they still have.
Unlike nuclear weapons programs, or ballistic missiles, cyber forces don’t require significant industrial capacity and vulnerable supply chains. This makes them far more resilient to conventional attacks. Sure, you can disrupt hacking operations for a short while with bombs, but it is hard to completely destroy capacity without somehow killing all of Iran’s hackers. Cyber forces are the cockroaches of state power.
They’re not just a tool of last resort, though. Investing in cyber capabilities makes sense for Iran.
It’s relatively cheap to build and maintain cyber forces. Compared to reconstituting nuclear facilities, missiles, or even conventional military forces, hackers are cheap, cheap, cheap. That would be attractive for a likely cash-strapped postwar Iran.
There is even a formula for Iran to follow. North Korea has proved it is possible for even the poorest of countries to develop formidable hacking capabilities relatively quickly, if there’s political will.
Importantly, cyber operations can also be used to strike globally, allowing Iran to hit American or Israeli organizations on their home turf. Another plus to add to the list.
Granted, cyber operations have limited effects compared to conventional military action. Even the most destructive attacks cause mischief and mayhem rather than raining death from above.
In the context of a postwar Iran, however, that could be seen as a feature rather than a bug. They could provide quick wins with less risk of being bombed in retaliation. Of course, we don’t expect that Iran will invest in its cyber capabilities to the exclusion of other options.
As headlines from the Iran war fade, the risk of damaging Iranian cyberattacks will rise.
– Tom Uren writes Seriously Risky Business, a big-picture, policy-focused cyber security newsletter. Published courtesy of Lawfare.
