A U.S. airstrike that killed Qassem Soleimani, the leader of Iran’s Islamic Revolutionary Guard Corps’ elite Quds Force, could escalate the battle the two countries already have in cyberspace, experts warned Jan. 3.

The two countries were in a protracted cyber battle for most of 2019, but the death of Soleimani, one of the most influential figures in Iran and the Middle East, opens the door to a wider, more deadly, swath of retaliation.

The Iranian response, experts told Fifth Domain, will likely include cyberattacks, but almost certainly will include lethal attacks on U.S. personnel or regional allies. One expert described a response primarily reliant on cyberattacks to be the “best case scenario for the United States."

“They’re going to want bloodshed in response for this,” said James Lewis, senior vice president and director of the technology policy program at the Center for Strategic and International Studies. He added “[turning] off the lights in Utah ... isn’t going to make them feel better.”

Other experts warned of similar action.

Don’t expect an invasion of Iran to be TikTok’d Apps provide one way to turn the tracking information of smartphones into an intelligence asset for adversaries.

“We should really be worried about people dying,” said Jon Bateman, a fellow in the cyber policy initiative at the Carnegie Institute for International Peace and former senior intelligence analyst for Iran at the Defense Intelligence Agency. “There’s the possibility of the outbreak of some sort of full-blown war. There’s the possibility of terrorist attacks, or covert action against U.S. officials, diplomats and troops in the region.”

Priscilla Moriuchi, director of strategic threat development at Recorded Future and former East Asia and Pacific cyberthreat expert at the National Security Agency, said that the response could “materialize in multiple scenarios.”

× Need a daily brief? We've got you covered. Sign up to get the top Cyber headlines in your inbox every weekday morning. Thanks for signing up. By giving us your email, you are opting in to the Daily Brief.

“Retaliatory measures could include the possible use of short-range ballistic missiles, cyber operations, bombings, and targeted assassinations," she said. "Although Iran possesses highly capable cyber operational forces, we believe the most likely targets of cyberattacks remain U.S. and partner interests regionally.”

What could an Iranian cyber response look like?

So where do the cyber capabilities of Iran, considered by experts to be among the most capable nation-state actors, fit into a potential response?

While Iranian cyberactivity has been relatively limited to the action within the Middle East, Lewis said that the killing of Soleimani could provide an incentive to conduct operations outside the region.

“They’ve done their homework,” Lewis said. “They’ve looked at the U.S. critical infrastructure, they’ve spied on the people who make industrial control systems, so they have the capability.”

Bateman, the former assistant to Gen. Joseph Dunford, the previous chairman of the Joint Chiefs of Staff, described the Iranian cyber capabilities as being technically innovative. He laid out five possible ways the Iranians could respond in cyberspace: distributed denial of service (DDoS) attacks; data deletion; attacks on industrial control systems; information operations; and cyberespionage to enable military action.

“Iran is a creative actor in cyberspace so it’s possible they could unveil some sort of operational concept that we haven’t seen before or a new capability that hasn’t previously been demonstrated,” Bateman said.

Data deletion, or a wiper attack, is considered a primary Iranian cybertool and one it would likely deploy this time, Bateman said. In June, after Iran shot down a U.S. drone and the U.S. government was considering a response, the Department of Homeland Security warned of such attacks being aimed at U.S. infrastructure.

In 2012, Iranian actors launched such an attack against oil giant Saudi Aramco. Iranian hackers then launched the same in 2014 against the Las Vegas Sands Casino Corporation. In 2016 and 2017, Iranian actors scaled their attacks against several Saudi government entities and companies.

The most concerning use of this attack would be on a U.S. military network, Bateman said. He added that Iran hasn’t directly attacked a U.S. network, but has penetrated at least one — the Navy’s unclassified internal network back in 2013.

“This is more of a concerning operational concept because it can cause permanent damage to a network and potentially destroy physical hardware,” Bateman said.

Cyberesionage to track and target personnel for assassination or terrorist attack is another possibility.

“In 2020, an attack like that could use some sort of cyber-related intelligence to be facilitated — whether that be tracking someone’s phone to get real-time geolocation or develop a pattern of life that can then be used to target them," Bateman said. “That’s something people should be very concerned about.”

Iranian actors have also used DDoS attacks to hurt U.S. banks starting in late 2011, though such tactics are a temporary measure that prevent the use of a network. Though it’s a less harmful attack, Bateman said that the Iranian attacks at the time were “quite technically innovative.”

Iranian actors are also thought to be behind the hacked and leaked cables of the Saudi Foreign Ministry in 2015. Iran could pursue a similar information operations route to cause public embarrassment for U.S. officials, Bateman warned.

In addition, Iran has proven its capability to penetrate industrial control systems. Last summer, Iranian cyber actors were blamed for intrusions into Bahrain’s water system. Bateman noted that while the country never publicly caused physical damage with a cyberattack, leaders warned that they could have learned from other actors that have, such as Russia’s attack on the power grid in Ukraine.

“That’s a capability that Iran has not publicly displayed, but would be conceivable for it to attempt because it’s been demonstrated by other actors and Iran has had time to learn from those operations and develop its own capabilities,” Bateman told Fifth Domain.

The news of the U.S. strike that killed Soleimani prompted Chris Krebs, director of the Cybersecurity and Infrastructure Security Agency at Department of Homeland Security, to tweet a reminder for organizations to “brush up” on Iranian tactics, techniques, and procedures in cyberspace.

In September, Krebs, whose agency is charged with protecting U.S. critical infrastructure from cyberattacks, said that the threat from Iran remained “very active” after a summer of high tension.

As for the target that Iran chooses, it’s difficult to predict, Bateman said. Iran’s goal in such a response, he said, is to impose a psychological toll on U.S. decision makers and to demonstrate resolve.

“A cyberattack by itself cannot make up for the loss of Soleimani, so instead Iran will try to exact some sort of psychological penalty,” Bateman said. "That means that it really can choose any vulnerable target that fits that bill.”

Repercussions of a cyber response

Iran has interests in keeping the U.S. allies in Europe in the Iran nuclear deal, but a major cyberattack on the United States could upset those European nations that Iran has relied upon, Allison Peters, deputy director of the national security program at Third Way, told Fifth Domain.

“A major cyberattack on our territory, which Europeans have also faced from Russia, Iran and other countries, I think, could change their calculus," she said. “They think Iran is really looking at Europe right now and trying to figure out what potentially its responses could be while not isolating them from Europe who’s tried to maintain the Iran deal.”

Still, with the death of a leader known for his connections to proxy groups, the cyber domain may not go far enough in terms of reassuring Iran’s network of proxy groups in the Middle East, said Daniel Byman, a senior fellow at the Brookings Institution’s Center for Middle East Policy.

A cyber response is “not going to have the same kind of cathartic, and from their point of view, deterrent effect as actual violence. So I can see it as a possibility but not as a replacement for more traditional force,” Byman said.

Cybersecurity experts from think tanks and industry released multiple statements Jan. 3 warning of the potential for a significant uptick in cyberactivity from Iran. But the threat is likely to be a combination of cyberattacks and physical attacks, experts stressed.

“If Iran were to somehow primarily use cyberattacks as its form of retaliation, that would be a best case scenario for the United States,” Bateman said. “If Iran ... used every [cyber] capability in its toolkit, we should count ourselves quite lucky.”

Mark Pomerleau of Fifth Domain and Aaron Mehta of Defense News contributed to this report.