Iranian hackers have laid the groundwork to carry out extensive cyberattacks on U.S. and European infrastructure and on private companies, and the U.S. is warning allies, hardening its defenses and weighing a counterattack, say multiple senior U.S. officials.
Despite Iran having positioned cyber weapons to carry out attacks, there is no suggestion an offensive operation is imminent, according to the officials, who requested anonymity in order to speak.
Cyber threats have been a major theme of the 2018 Aspen Security Forum, with administration officials from Director of National Intelligence Dan Coats, FBI Director Chris Wray, and Deputy Attorney General Rod Rosenstein all warning of the pervasive danger from Russia, China, Iran, and North Korea.
In Aspen Thursday, Coats said that Russia was a more active cyber foe than Iran or China — "by far" the most aggressive, he said.
While Russia may be the most aggressive, the U.S. officials said Iran is making preparations that would enable denial-of-service attacks against thousands of electric grids, water plants, and health care and technology companies in the U.S., Germany, the U.K. and other countries in Europe and the Middle East.
A spokesperson for the Iranian mission to the United Nations charged the U.S. is the aggressor in the cyber domain. "Iran has no intention of engaging in any kind of cyber war with the U.S.," the spokesperson, Alireza Miryousefi, said in a statement. "Frankly, from our perspective, it's more likely the U.S. wants the supposed suspicion of an attack as rationalization for a cyberattack against Iran."
"The U.S. is the most belligerent cyber attacker of any nation in the world, repeatedly attacking military and civilian targets across the world including in Iran," said Miryousefi. "The U.S. has also undermined international efforts to establish global rules surrounding cyber issues. While we cannot comment on specific cyber capabilities or operational detail, we can say that our cyber activities are defensive in nature and necessary for our country's protection."
A spokesperson for the National Security Council declined to comment.
The U.S. has not yet decided whether it will retaliate in the event of an attack, according to U.S. officials, but the White House has already begun to ready new sanctions against Tehran and continues to amp up its anti-Iran rhetoric as it builds a case for its more confrontational stance.
President Donald Trump withdrew the U.S. from the multinational 2015 nuclear deal with Iran in May, and the U.S. government has warned that if other nations follow suit Iran could retaliate in the cyber domain. Though Iranian hackers have previously probed U.S. infrastructure, targeting U.S. electrical grids alone would mark a significant escalation in Iran's use of cyber-warfare to date.
After the U.S. pulled out of the nuclear deal, known as the Joint Comprehensive Plan of Action (JCPOA), Homeland Security Secretary Kirstjen Nielsen testified before Congress that the U.S. was "anticipating it's a possibility" that Iran would increase cyberattacks in the coming weeks and months and that the U.S. "will be prepared." Nielsen said the U.S. has a posture called "shields up" it can institute when anticipating a possible attack.
Should the JCPOA collapse entirely, said Behnam Ben Taleblu, an Iran expert and a fellow at the Foundation for Defense of Democracies, a conservative think tank in Washington, the infrastructure of Western countries might be an attractive target to the Iranians.
"Iran has a penchant for using such tools against the West," said Ben Taleblu. "The cyber domain permits the Islamic Republic to engage in graduated escalation, a hallmark of Iranian security policy."
U.S. officials have alerted America's allies in Europe and the Middle East to the potential Iranian threat and have begun preparing a menu of possible responses, according to both current and former U.S. officials. It's unclear if the options include a preemptive cyberattack to deter Iran from launching one.
Senior U.S. officials remain divided over the use of a pre-emptive cyberattack.
Some administration officials have argued in favor of offensive cyber operations, while others, including the former White House official who was overseeing the policy, have advised against that, one former White House official said.
The issue is in part what has delayed the finalization of the Trump administration's overall cyber policy, according to one former official.
The cyber threat comes as the Trump administration has focused more publicly on Iranian threats.
The Trump administration is poised to adopt new sanctions against Iran this summer as part of its withdrawal from the JCPOA. Trump's decision to pull out on May 8 began a 90-day clock for the U.S. to reinstate sanctions on Iran.
The administration has also suggested recently that Iran is using its embassies to plan terrorist attacks, following the disruption of an alleged plot in the Iranian embassy in Austria to bomb a meeting of opposition leaders in Paris. Iran called the allegations "baseless" and "preposterous," saying the plot was a "false flag" operation staged by regime opponents.
Secretary of State Mike Pompeo has led the charge against Iran, warning during a visit to the United Arab Emirates that Iran would pay "a high cost" for its aggression in the region after Tehran threatened to close the Strait of Hormuz to disrupt Middle East oil supplies.
Pompeo also said in an interview with Sky News Arabia that the Trump administration is planning "a number of things" to confront Iran, including "a series of sanctions aimed not at the Iranian people, but rather aimed at the singular mission of convincing the Iranian regime that its malign behavior is unacceptable and has a real high cost for them."
Current and former U.S. officials noted that Iran has a history of using cyberattacks to retaliate against such actions. Its use of cyberattacks subsided after the U.S. and other world powers reached the 2015 nuclear agreement.
"Iran's interest in offensive cyber operations is well known and America and its partners would be well advised to consider the likelihood that Iran will mount cyber operations as sanctions are imposed," said Norman Roule, a former top CIA official on Iran.
U.S. intelligence officials recently have observed Iranian hackers probing America's electric grid, which cyber experts say they have done in the past.
"The Iranians have been doing these types of probes for years now — mapping out the networks of critical infrastructure to find potential vulnerabilities," said James Lewis, who worked on cyber security and intelligence as a senior State Department official.
An attack on infrastructure would be far more aggressive than previous Iranian cyberattacks, which have largely focused on American business entities and targets in Persian Gulf states and Israel, said cyber experts who advise U.S. government agencies and corporations.
"It seems like their attention has been very focused on regional adversaries," said Adam Meyers, vice president of intelligence at CrowdStrike.
The U.S. and Iran have a history of trading cyberattacks. In 2016, U.S. prosecutors charged seven Iranian computer experts linked to the government with a series of cyberattacks on U.S. banks and a New York dam.
Four years earlier, Tehran was accused of unleashing a computer virus known as Shamoon that erased data on tens of thousands of computers at Saudi Aramco, the Saudi state-owned oil company.
Last year, a sophisticated assault on a petrochemical plant in Saudi Arabia nearly succeeded in sabotaging operations and triggering an explosion. Cyber security experts said Iran was almost certainly behind the attack.
In written testimony presented to Congress in March, DNI Coats wrote, "Iran's cyberattacks against Saudi Arabia in late 2016 and early 2017 involved data deletion on dozens of networks across government and the private sector."
In 2010 it became publicly known that the U.S. and Israel had unleashed a destructive cyber weapon against Iran's nuclear program known as Stuxnet, a targeted, sophisticated computer virus that caused physical damage to Iran's nuclear centrifuges.
The Trump administration's increasingly bellicose rhetoric about Iran has raised concerns among lawmakers on Capitol Hill that this could be reminiscent of the George W. Bush administration's push to invade Iraq in 2003, which relied in part on now-discredited intelligence. In an op-ed article in The Atlantic published July 13, Sen. Tim Kaine, D-Va., compared the language to the days leading up the war in Iraq.
"I fear the United States is on the verge of blundering into another unnecessary war with Iraq's next-door neighbor Iran. The same warning signs are on the horizon, and I hope we will turn back from the foolish path we seem to be taking," wrote Kaine, the former Democratic nominee for vice president. "We cannot afford another unnecessary war, and Congress and the public must be vigilant to stop it."
U.S. intelligence had previously warned about growing cyber threats from Iran and other, sometimes more technically advanced countries.
In his March 2018 written testimony to Congress, Coats wrote that Russia, Iran, and North Korea "are testing more aggressive cyberattacks that pose growing threats to the United States and U.S. partners."
Coats wrote that U.S. intelligence agencies assessed that "Iran will continue working to penetrate U.S. and Allied networks for espionage and to position itself for potential future cyberattacks, although its intelligence services primarily focus on Middle Eastern adversaries — especially Saudi Arabia and Israel."
On July 13, Coats told the Hudson Institute in Washington that the warning signs about coming cyber threats are similar to the signs the U.S. saw before Sept. 11, 2001.
"The warning lights are blinking red again," said Coats. "Today the digital infrastructure that serves the country is literally under attack." Coats said Russia was the worst offender, but also named Iran, China and North Korea as adversaries.