When two countries begin to threaten war in 2019, it's a safe bet that they've already been hacking each other's networks. Right on schedule, three different cybersecurity firms now say they've watched Iran's hackers try to gain access to a wide array of US organizations over the past few weeks, just as military tensions between the two countries rise to a breaking point—though it's not yet clear whether those hacker intrusions are aimed at intelligence gathering, laying the groundwork for a more disruptive cyberattack, or both.

Analysts at two security firms, Crowdstrike and Dragos, tell WIRED that they've seen a new campaign of targeted phishing emails sent to a variety of US targets last week from a hacker group known by the names APT33, Magnallium, or Refined Kitten and widely believed to be working in the service of the Iranian government. Dragos named the Department of Energy and US national labs as some of the half-dozen targeted organizations. A third security firm, FireEye, independently confirmed that it's seen a broad Iranian phishing campaign targeting both government agencies and private sector companies in the US and Europe, without naming APT33 specifically. None of the companies had any knowledge of successful intrusions.

"Essentially, there have been many people targeted since these tensions increased," says John Hultquist, director of threat intelligence at FireEye. "We're not sure if it's intelligence collection, gathering information on the conflict, or if it's the most dire concern we’ve always had, which is preparation for an attack."

Some signs suggest the new targeting campaign is indeed a cyberespionage operation, an expected step from Iran given the rising saber-rattling between its government and that of the US—amid Iran's claim to have downed a US drone that breached its airspace and the Trump administration issuing warnings that it may retaliate. But the researchers also note that APT33 has links to data-destroying malware, and warn that the intrusion attempts could be the first step in that sort of more aggressive cyberwar operation.

FireEye has previously warned that while APT33 has in prior operations largely focused on traditional spying, it has also at times appeared to have destructive tools in its arsenal. In 2017, FireEye reported that APT33 infected some victims with "dropper" malware that had in other attacks been used to plant a piece of data-destroying code known as ShapeShift. Crowdstrike, too, says it has seen APT33's fingerprints appear in some intrusions where another piece of destructive malware known as Shamoon had been used, a wiper tool tied to a collection of sometimes-devastating Iranian sabotage campaigns across the Middle East.

In at least some of last week's intrusion attempts, the hackers sent potential victims an email lure posing as a job opening from the Council of Economic Advisors, an organization within the White House's Executive Office of the President. The email contained a link that, if clicked, opened a so-called HTML application or HTA. That in turn launched a Visual Basic script on the victim's machine that installed a malware payload known as Powerton, a kind of all-purpose remote access trojan. That Powerton malware, the HTA trick, and the job lure all fit the modus operandi of APT33, which in previous operations has used those techniques against oil and gas targets around the Persian Gulf region. Dragos also notes that the naming conventions for domains used in the phishing attacks' infrastructure match those earlier attacks.

The web page used as a lure for victims as part of a recent phishing campaign launched by APT33 hackers. Dragos/CrowdStrike

CrowdStrike's vice president of intelligence Adam Meyers points out that the economic focus of the job lure suggests that the Iranian hackers may be trying to learn more about the Trump administration's intentions around its trade sanctions against Iran, rather than any more aggressive cyberattack preparation. But he doesn't discount that, given the right target of opportunity, it might later pivot to more destructive sabotage. "I think this is probably intelligence collection. But any time they’re going to engage in that collection there’s the possibility it could be preparation for other operations," Meyers says. "Depending on what you get back you make an assessment. You say 'this is a good target, we could do something with this.'"