A move by President Donald Trump to discard the Obama-era nuclear deal with Tehran could bring a swift retaliation from an increasingly aggressive Iranian hacker army.

Some of those attacks might target America’s power plants, hospitals, airports and other pieces of critical infrastructure, multiple cyber experts who track Tehran’s hackers are warning. Iran’s current Western hacking is limited almost entirely to commercial espionage and dissident surveillance, but the country could quickly redirect its efforts in the event of a rupture of the nuclear pact.


Iran has spent years honing its digital skills through cyber campaigns that have pummeled regional adversaries, stolen trade secrets from foreign competitors and destroyed computers at the oil giant Saudi Aramco. And initially, the country also aimed its cyber forces at the U.S., launching a barrage of distracting attacks on the financial sector and even successfully infiltrating a dam in New York state.

But after the U.S. and six partners began discussions with Iran in 2013 to lift some economic sanctions in exchange for limits on Tehran’s nuclear program, the country’s hackers have largely spared the U.S., focusing instead on industrial espionage and hitting rival Middle Eastern powers.

Cyber experts say that would change if Trump and Congress abandon the nuclear agreement, which freed up roughly $100 billion in frozen Iranian assets after taking effect in 2015. Trump has strongly hinted he wants to ax the deal, telling the United Nations General Assembly last week that it was “one of the worst and most one-sided transactions the United States has ever entered into” and later saying he had already made up his mind on the issue.

“I personally think they’ll double down their efforts and we’ll start to see a lot more attacks,” said Stuart McClure, the CEO of security firm Cylance, which revealed one of Iran’s most pervasive hacking groups in 2014. “And we’ll probably see a lot more sophisticated attacks.”

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Iranian hackers are not as skilled as those in Russia and China, but they are rapidly improving , experts say. And even if the country cannot develop certain digital tools itself, it can always buy them from Russia, China or the black market.

“They’re plenty good enough to cause a lot of difficulty,” said Ben Read, head of cyber espionage analysis at FireEye.

Tehran’s digital prowess was highlighted just this month when FireEye exposed a massive cyber espionage campaign targeting Saudi and South Korean aviation and energy firms. Researchers said the efforts reflected the regime’s desire to expand its economic competitiveness as the country integrates with the global market in the wake of the nuclear deal.

But for years prior to the nuclear talks, Iran also aggressively targeted Western institutions.

In the early 2010s, suspected Iranian hackers inundated the U.S. financial sector with a plethora of simplistic but bothersome distributed denial-of-service, or DDoS, attacks, which try to overwhelm a computer network with fake traffic. In 2016, the Justice Department indicted seven Iranians in such a campaign, accusing them of spending 176 days launching DDoS attacks on American banks between late 2011 and mid-2013, taking websites offline and rendering online bank accounts inaccessible. One of the hackers was also charged with infiltrating the control systems of a New York dam , a disquieting development, given the destruction that could be caused if the intruder had been able to manipulate the dam.

Iran changed its focus, though, once the country’s leaders came to the negotiating table with China, France, Germany, Russia, the United Kingdom, the United States and the European Union to discuss limiting Tehran’s nuclear program. Many countries have long been wary of a nuclear-armed Iran, fearing it would further destabilize the Middle East.

During the talks, Iranian hackers spied on Western diplomats to gather intelligence about negotiation strategies using a level of skill not seen before, said McClure, but they scaled back the DDoS attacks that had been battering the banking sector. Meanwhile, said Read, Iran also shifted away from destructive attacks on Western infrastructure, focusing these efforts instead “on their neighborhood.”

The parties signed the nuclear agreement in July 2015, after almost two years of formal talks.

Since then, Iran’s digital shift has continued, with the country deploying its ruinous digital power on its neighbors — mostly Saudi Arabia and the United Arab Emirates — while collecting corporate intel on its foreign competition. Religious rivalry has long dominated the Middle East, with Saudi Arabia and the UAE dominated by the Sunni branch of Islam and Iran controlled by the Shia branch.

In late 2016, cyber researchers identified a new Iranian hacking campaign targeting Saudi Arabia with a type of malware, dubbed Shamoon, that completely wiped the hard drives of infected computers. It was a variant of the same virus that had trashed tens of thousands of computers at the state-owned Saudi Aramco in 2012, erasing data on three-quarters of the firm’s computers and crippling one of the world’s most valuable companies.

But this muscular presence was increasingly absent at Western targets, researchers said. Adam Meyers, vice president of intelligence at the cybersecurity firm CrowdStrike, attributed the drop-off to Tehran’s need for cyber resources in its regional conflicts, rather than its desire to offer up a goodwill gesture following the nuclear deal.

If Trump and Congress reject the Iran nuclear deal, however, experts believe the country would swiftly train its focus back on the U.S. Trump has indicated that he may not recertify Iran’s compliance with the agreement, which would trigger a 60-day window in which Congress could reimpose sanctions on Iran. Those new sanctions would violate the deal and effectively remove the U.S. from it.

The White House did not respond when asked whether it was worried about Iranian digital retaliation if the U.S. left the nuclear deal.

Cyber specialists said that if the U.S. withdraws from the deal, not only will Iran resume full-scale hacking of American targets, but it will do so with greater discipline and capabilities than last time.

“We’ve seen them mature their offensive, destructive targeting at Saudis,” said Meyers. “They’ve developed a more mature way of thinking about establishing offensive cyber capabilities.”

McClure expects Iran would use more zero-day exploits, which are tools designed to take advantage of previously unknown technological flaws. Such tools are especially formidable because software engineers may not have a quick fix ready for the flaw being abused.

If Iranian operators can’t craft these tools, they could easily purchase them from other premier digital powers, such as China and North Korea, McClure said. Pyongyang’s No. 2 official recently spent 10 days in Iran, part of a possible effort to strengthen military ties. The two countries also inked a deal in 2012 to share information technology.

The financial sector and the oil and natural gas industries would likely be the first targets of Iran’s renewed digital assaults, according to Read, the FireEye analyst, because of the banking industry’s “importance to the U.S. and [the] importance of enforcing sanctions.”

“And with oil and natural gas,” he added, “that’s someplace where Iran has a lot of eggs in that basket.”

The one thing that might keep Iran’s hackers at bay if the deal falls apart would be the regime’s contentment to “stand back and enjoy watching the rest of the world turn against the U.S.,” said George Perkovich, vice president for studies at the Carnegie Endowment for International Peace, where he researches nuclear and cyber issues. Other signatories of the pact have already warned the U.S. against abrogating its terms.

Regardless, Tehran will be frustrated if the U.S. breaks the agreement, and experts agree the country’s digital warriors can help the regime project influence wherever it chooses to do so.

“We are very concerned and keeping close watch on what kinds of things might manifest against Western targets if that deal falls apart,” said Meyers.