U.S. braces for cyberspace retaliation from Iran

State of play: Iran-aligned hackers and self-described hacktivist groups have stepped up activity against entities in the Middle East, the U.S. and parts of Asia following the Feb. 28 airstrikes, according to CrowdStrike.

• Hydro Kitten, a group that operates on behalf of the Islamic Revolutionary Guard Corps, has signaled plans to target the financial sector, Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said in a statement yesterday.

Threat level: "They are a very potent, hostile power," retired Gen. Paul Nakasone, former head of the NSA and Cyber Command, said at the Crosscurrent conference in Sausalito, California, yesterday about Iran's cyber prowess.

• "We as a nation need to make sure that we're vigilant in terms of what they're doing," he added.
• James Turgal, a former FBI official and now vice president of cyber risk and board relations at Optiv, said that over the next month he expects more distributed denial-of-service attacks, doxxing, data leaks and website defacements, as well as potentially more significant intrusions.
• U.S. energy, water, transportation and telecom sectors are likely targets for higher-impact attacks during that period, he added.

Iran has long used cyber operations to retaliate against political adversaries, including targets in neighboring countries and the U.S.

• Last year, an Iranian national pleaded guilty to participating in a ransomware scheme that targeted several U.S. cities, corporations and health care organizations.
• During the 2024 election cycle, Iranian actors hacked Trump's presidential campaign via spear phishing.
• In 2022, Iranian state-sponsored hackers deployed file-encrypting ransomware and wiper malware against the Albanian government, knocking its websites and online services offline.

Between the lines: Iranian cyber operators often blend espionage, disruption, destructive activity and online disinformation.

• They also benefit from a network of hacktivists willing to act independently in defense of the regime.

What they're saying: "As Iran considers its response to U.S. and Israeli military actions, it is likely to activate any of these cyber actors if it believes their operations can deliver a meaningful retaliatory impact," Cynthia Kaiser, a former FBI cyber official and current senior vice president of Halcyon's ransomware research center, warned over the weekend.

Yes, but: Meyers cautioned that "at this stage, much of the activity being publicized appears to be claim-driven rather than evidence-backed."

The big picture: The threat comes while lawmakers battle over funding to reopen the Department of Homeland Security, including the Cybersecurity and Infrastructure Security Agency.

• "We know adversaries are looking for any perceived vulnerability to strike, and the second DHS shutdown in six months is exactly the kind of weakness they would seek to exploit," Rep. Andrew Garbarino (R-N.Y.), chair of the House Homeland Security Committee, said in a statement yesterday.
• CISA is operating at 38% of its staffing capacity during the shutdown.
• DHS Secretary Kristi Noem said in a statement yesterday that she is "in direct coordination with our federal intelligence and law enforcement partners as we continue to closely monitor and thwart any potential threats to the homeland."

What to watch: If the conflict spreads, additional cyber actors may retaliate.

• Israel reportedly hacked a widely used Iranian prayer app and pushed a notification urging members of the country's military to defect.
• Pro-Iranian hackers claimed they breached the Jordan Silos and Supply General Co., a major wheat management system, through a phishing campaign, according to an activity report shared by security firm Flashpoint. The Jordanian government later said it thwarted the attack.

Go deeper: The Trump-Netanyahu call that changed the Middle East