Iranian Cyber Attacks: What’s Coming Next

Iranian Cyber Attacks: What's Coming Next

Image courtesy of

Given the U.S.’ recent military engagement with Iran, the question everyone is now asking is whether the cessation of military activities means this is all over, or whether another shoe will soon be dropping.

While no-one has a crystal ball, looking at our overall historical engagements with Iran, it’s pretty clear that the next phase of this engagement will be in the cyber realm; indeed, our relationship with Iran in the cyber domain over the past decade has been marked by ongoing escalations and de-escalations of cyber engagements with Iran (or 3rd party affiliates acting on their behalf), corresponding with the ups and downs of our overall political engagements with Iran. As such, there’s a high probability that cyber intrusions, attacks, or other malicious activity from Iran, or its surrogates, are now on their way.

Looking at Iran’s past cyber attacks around the world, we can categorize the potential threat into 3 categories:

  1. Web Defacements
  2. Denial of Service (DDOS) and other attacks on the availability of a website
  3. Destruction of data, such as wiping the computers of a company and destroying all of their data

Of the 3 above, obviously destruction of data is probably the most scary to ponder.  Web defacements are good for messaging – something Iran is fond of (such as hacking into a website and posting a message to further the Iranian agenda) – and costly to the victim to recover from, but are for the most part, more of an annoyance and short-lived.

Denial of Service (DDOS) attacks can be more troubling and have longer-term impact. For example, the 2011 – 2012 DDOS attacks on almost 50 U.S. financial service companies, subsequently attributed to Iran, caused inconvenience to 100,000’s of customers, and cost the companies millions of dollars in damages to recover from.

But obviously, the biggest concern is the destruction of data.  Iran is now well-known for their attacks on Saudi Arabia’s Aramco energy company, using a piece of malware called Shamoon to wipe tens of thousands Aramco’s computers, causing massive damages in terms of monetary and reputational costs.  They allegedly updated this malware, nicknamed Shamoon 2, to attack new Saudi targets, to include governmental offices and other targets.

Most recently, we have seen 2 recent pieces of reporting that raise the likelihood that this may be one, of perhaps many, bands of cyber attacks by Iran. Specifically:

  • In December 2019 IBM warned of a new form of wiper malware it called ZeroCleare, which overwrites the Master Boot Record and disk partitions on Windows machines, and is alleged to have already been used against industrial and energy sectors (it has been attributed to Iran-backed hackers); and
  • One of the more concerning Iranian hacker groups, known as APT33, is rumored to have spent years developing sophisticated payloads with Powershell implants exploits, which could allow them to potentially meddle with critical infrastructure like financial systems or industrial control systems.

Of course, where, whether and when they hit is an open question, as they could potentially hit the US or one of its allies. For more of my thoughts on what form these attacks may take, and against whom, please check out the OpEd I recently published in the Hill:

And please listen to a recent interview I did on this topic:

Joel Schwarz

Joel Schwarz is Managing Partner with the Schwarz Group LLC and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Dept. and N.Y. State Attorney General’s Office. Joel frequently speaks and writes on privacy matters (to include student data privacy and privacy in Education Technology), is a member of the Student Data Privacy Consortium (SDPC) and is Privacy & Security Vice-Chair of the Montgomery County PTA’s Safe-Tech Committee.