The views expressed by contributors are their own and not the view of The Hill

Don’t assume Iran will be behind the next big cyber attack

Americans have become fixated on the possibility of Iran launching deadly attacks in retaliation for President Donald Trump’s decision to kill Quds force leader Qassem Soleimani. Such fears are grounded in reality, as Iran has a long track record of lashing out after being struck by the American military.

What gives this latest round of tit for tat a decidedly 21st century spin is the specter that Iran will unleash its cyber arsenal as part of any retribution. Iran has both verifiably formidable cyberwarfare assets and a history of using them, so Americans are right to be concerned.

Recent events though raise another, perhaps even more insidious scenario: that America’s other enemies will use this latest flare up as an opportunity to launch false flag cyberattacks. America’s global rivals have in fact been practicing that kind of cyber campaign, and so Washington needs to be careful before assuming that the next big cyberattack is the work of a vengeful Tehran.

Over the past decade Iran has conducted a series of impressive cyberattacks across the globe, including hacking into American critical infrastructure like banks and dams. It has also launched damaging cyberattack overseas, for instance destroying thousands of computer systems at a Saudi Aramco facility.

The truth is that when it comes to truly destructive attacks, Iran typically relies on conventional military hardware. Consider that when Iran — or its proxies —undertook a strike on a Saudi Aramco oil refinery last fall, the weapon of choice was physical: explosive-laden drones and cruise missiles. Saudi oil production dropped by more than 50 percent as a result of that attack, far greater than anything it had ever accomplished via cyberattack.

Still, given Iran’s proven cyberwarfare capabilities and its stated desire to avenge Soleimani’s death, there will be a strong temptation to assume that any destructive cyberattack on American assets in the next few weeks or months will be Iranian-sponsored.

That gives a perfect opening to American enemies who wish to launch damaging cyberattacks but let other countries take the blame. Such cyber false flag attacks, specifically ones deliberately crafted to wrongly place responsibility at Iran’s feet, have in fact already happened.

Consider the following: last fall UK security officials reported that a number of cyberattacks assumed to have been conducted by a well-known Iranian hacker group were in fact the handiwork of Russian intelligence officials.

In a nifty bit of tradecraft, the Russian FSB-backed hacker group “Turla” surreptitiously took control of an Iranian hacker organization, and then without the Iranians’ knowledge used their tools to conduct at least 20 different cyberattacks across the globe.

Russian intelligence officials were able to maintain this ruse for more than 18 months, fooling security officials in the UK and the U.S. 

Part of the reason for Russia’s success was that Western intelligence officials had previously only suspected Moscow of mimicking foreign hackers, not actually assuming their identities and hijacking their assets. U.S. and UK officials were caught off guard by Russia’s bold move, especially because the Russians even went so far as to steal code from Iran that allowed them to build and launch Tehran “branded” viruses.

UK officials noted that what the Russians had pulled off was a uniquely sophisticated and complex effort, and it should now be considered an attack method that they will likely use again.

There are multiple benefits to Russia for launching new false flag hacks. Beyond the obvious value in passing the blame off on Iran, Russia stands to benefit politically and economically if America is prodded into a hotter conflict with Tehran.

One sure side effect of such a conflict would be a further increase in global oil prices, an outcome that would directly benefit Moscow’s economy. Additionally, experts believe that Vladimir Putin would welcome a more intense U.S./Iran conflict as that would take the focus off of his Eastern European misadventures.

None of this is to say that cyberattacks by Iran against the U.S. are unlikely — Tehran indeed certainly has shown a penchant for deploying its virtual arsenal, and so America needs to be vigilant. At the same time, the White House should be careful to make sure that when Iran has apparently launched a new cyberattack, the mullahs are indeed the actual cyber-perps. Failing to confirm an Iranian link could result in Washington being tricked into an unnecessarily distracting Middle Eastern briar patch.

Brian Finch is a cybersecurity attorney with Pillsbury law firm based in Washington D.C.