In May, President Donald Trump announced that the United States would withdraw from the 2015 nuclear agreement, negotiated by the Obama Administration, designed to keep Iran from developing or acquiring nuclear weapons. As part of that reversal, the Trump administration reimposed economic sanctions on Iran. From the start, the US actions stoked tensions and fear of Iranian retaliation in cyberspace. Now, some see signs that the pushback has arrived.

Iranian state-sponsored hacking never stopped entirely; it has continually targeted neighbors in the Middle East, and often focused on the energy sector. But while concrete attribution remains elusive, a wave of recent digital attacks has led some security analysts to suggest that Iranian state-sponsored hackers may have ramped up their digital assaults against the US and Europe as well.

"If you look at these groups, they’re not hacking for money, what they’re doing is very much nation state motivations," says Eric Chien, a fellow in Symantec's security technology and response division. "So if we continue to see some sort of geopolitical issues in the Middle East, you’re definitely going to see continued attacks. If those geopolitical issues start to get resolved then you’ll see it go back to background noise. It’s very reactionary, and very much related to what’s going on in the geopolitical world."

Chien stresses that attribution is murky for recent incidents and that it's not known whether Iran has launched a comprehensive campaign.

"They hit a handful of organizations on a scale you can count on your fingers all at the same time, and then they sort of disappear again." Eric Chien, Symantec

The most direct potential tie to Iran comes from a new wave of attacks utilizing a variant of the famously destructive virus called Shamoon. Known for its use in a 2012 attack on the Saudian Arabian state-backed oil company Saudi Aramco, Shamoon attempts to exfiltrate, wipe, and neuter servers and PCs it infects, giving attackers access to a target's information while wreaking havoc on their systems. One of the victims so far was the Italian oil company Saipem. The company says that it will be able to recover from the incident without losing data, but would not say who it suspects was behind the attack. Saudi Aramco is a large Saipem customer.

Researchers who have tracked Shamoon for years say that the new variant has similarities to its predecessors, which were attributed to Iranian state-sponsored hackers. This doesn't definitively mean that this new malware was created by the same actor, but so far analysts say that the new Shamoon attacks recall past assaults.

The actors behind Shamoon "have this sort of habit of going away with years even in between and then suddenly showing up again," Chien says. "And then when they show up they hit a handful of organizations on a scale you can count on your fingers all at the same time, and then they sort of disappear again."

This tracks with Saipem's public comments about the incident, as well as Symantec research that indicates Shamoon hit two other gas and oil industry organizations the same week—one in Saudi Arabia, and another in the United Arab Emirates. Researchers at the security firm Anomali also analyzed a new Shamoon sample that may be from a second wave of attacks. And analysts at the threat intelligence firm Crowdstrike say they have seen evidence of multiple recent victims.

Recent Shamoon activity is a continuation of the malware's resurgence in 2016 and 2017, according to Crowdstrike vice president Adam Meyers. But while the previous iterations of Shamoon was more of a static tool for exfiltrating and wiping data, a new version emerged in 2016 that could be modified to have different combinations of functionality. It could be customized to encrypt and overwrite files, destroy the boot device, wipe attached hard drives, destroy the operating system, or wipe special prioritized files. Crowdstrike sees the recent attacks as leveraging that flexibility, rather than representing a new generation of the malware, which it says strengthens the link to Iran. Other firms have called the malware used in these latest attacks "Shamoon 3," suggesting that it is instead a next-generation variant that may or may not have originated with Iranian hackers.