Iranian Cyber Threat – Action Plan

In light of the killing of General Soleimani, there has been rampant speculation about what responses Iran might take and whether those would include cyberattacks.

While we can’t know for sure what Iran will do, we assess with moderate confidence that:

1. Iran will operate as a rational actor
2. Iran benefits from avoiding a kinetic escalation (e.g. war) with the US
3. Iran realizes war is not in its interests and will tailor any cyberattacks with the avoidance of further escalation in mind

Iranian linked threat actors have conducted destructive cyber attacks in the past and we assess with high confidence that they will continue to do so. Every threat is the intersection of:

1. Intent
2. Opportunity
3. Capability

We assess with high confidence that Iran has the capability to perform destructive cyberattacks and that some subset of target organizations will have already provided Iranian hackers with access opportunities. It follows then that the intent assessment is what matters most in this case.

We assess with moderate confidence that Iran will not attack critical infrastructure (life safety systems, utilities, power generation, power distribution, healthcare, public safety, etc.) unless they view kinetic responses by the US as inevitable. Destructive attacks on these targets would likely result in kinetic retaliation by the US. As stated earlier, we do not believe Iran desires a kinetic escalation with the US.

We assess with low confidence that Iran (or proxies) will conduct destructive cyberattacks against US organizations in other verticals. We assess that the two most likely verticals are financial services and manufacturing. We believe that Iran will desire to demonstrate impact to the US population without triggering kinetic response, and these two industries serve that purpose well. Of course other verticals could be targeted. We do not assess that the retail sector will be targeted since it will likely fail to create the desired impact.

Action steps

Rendition analysts have created a three step action plan specific to the threat of destructive cyberattacks, the assessed most likely attack activity from Iran.