People burn a poster representing US President Donald Trump to protest against the killing of Iranian commander Qasem Soleimani in Iraq.

A former CIA officer told CNBC on Thursday that it's likely Iran will carry out small-scale cyberattacks to avoid U.S. retaliation.

"They perfectly understand that the U.S. is very powerful and isn't going to tolerate a catastrophic attack," said Carol Rollie Flynn, former executive director of the CIA Counterterrorism Center.

"More likely are hit-and-run sorts of attacks," she added in a "Squawk Box" interview.

U.S. officials are preparing for a potential onslaught of attacks from Iranian hackers after last week's U.S. airstrike killed Iran's top military leader, Qasem Soleimani, at Baghdad's airport.

Some groups — including the Foreign Policy Research Institute think tank, of which Flynn is president — have already been hit by what she describes as a "probably Iranian disinformation campaign."

Additionally, several websites across the globe were hit with cyberattacks that defaced them with images and slogans supportive of Soleimani. The hacked websites displayed images of a fist-punching Trump among other anti-American rhetoric. Victims included the U.S. Federal Depository Library Program and the Commercial Bank of Sierra Leone.

However, through a statement, the Department of Homeland Security expressed doubt these attacks were actually state-sponsored by Iran.

Rather than attempt to hit highly secured agencies like the military or financial services, Flynn said it's likely Iranian hackers will continue deceptive practices on "lesser targets."

"They have capabilities probably ready to go," she said.

At the same time, she said, "They don't want us to retaliate against them. They have felt that before."

Iran has carried out cyberattacks on the U.S. before. And while it's not at the scale that Russia or China is, its capabilities still have grown over the past decade, Flynn said.

Between 2012 and 2013, Iranian hackers carried out a series of attacks on the largest U.S. financial institutions including Bank of America and Citigroup. Las Vegas Sands was attacked in 2014 over owner Sheldon Adelson's support for Israel and calls for attacks on Iran.

The current attacks come as businesses have never spent more on cybersecurity, with their spending estimated to have reached $124 billion in the fourth quarter alone.

"Smart businesses should have good governance policies and procedures that their employees are well versed in," Flynn said.

— CNBC's Kate Fazzini and Reuters contributed to this report.