Pro-Iranian hackers are targeting sites in the Middle East and starting to stretch into the United States during the war, raising the risk of American defense contractors, power stations and water plants being swept into a wave of digital chaos, cybersecurity experts told the Associated Press. The goal, the experts said, is to wear down the American war effort, drive up energy costs, strain cyber resources and cause as much pain as possible for U.S. companies that depend on the defense industry.
“Something is going to happen because the gloves are off,” said Kevin Mandia, founder of the cybersecurity companies Mandiant and Armadin.
Hackers supporting Iran claimed responsibility Wednesday for a cyberattack against Stryker, a Michigan-based medical technology company. A group known as Handala said the attack was in retaliation for suspected U.S. strikes that killed Iranian schoolchildren. Ismael Valenzuela, vice president of threat intelligence at the cybersecurity company Arctic Wolf, said profit is not Handala’s goal. “What distinguishes this group is its clear focus on data destruction rather than financial extortion,” he said in a statement.
MSI previously reported on the growing cyber threat from Iran-linked hackers targeting U.S. interests as the military campaign in Iran escalated. In that report, experts detailed how the digital front of the conflict has expanded beyond the battlefield.
Since the war began, Iranian-linked hackers have also tried to penetrate cameras in neighboring Middle Eastern countries to improve Iran’s missile targeting. They have targeted data centers in the region, as well as industrial facilities in Israel, a school in Saudi Arabia and an airport in Kuwait. Pro-Iranian hackers openly discuss their plans in Telegram and other online message boards. “The datacenters need to be taken out,” wrote one user, as uncovered by researchers at the U.S.-based SITE Intelligence Group. “They host the brains of USAs military communication and targeting systems.”
U.S. defense contractors, government vendors and businesses that work with Israel are likely targets going forward, experts said, as is critical infrastructure such as hospitals, ports, water plants, power stations and railways. Many local water plants and health care facilities lack funds and expertise to maintain cybersecurity, making them vulnerable to denial-of-service attacks, website defacements and hack-and-leak operations.
“Patch your systems. Ensure your firewalls and security solutions are up to date,” said Shaun Williams, a former FBI and CIA officer now a senior director at the cybersecurity firm SentinelOne. “Remove your stale accounts. All the cyber hygiene that you should be doing, it’s more critical now than ever. Prepare for disruption.”
Iran has invested heavily in offensive cyber capabilities while cultivating ties to hacking groups. In recent years, groups working for Tehran have infiltrated the email system of President Donald Trump’s campaign, targeted U.S. water plants and tried to breach networks used by the military and defense contractors. The activity prompted the Department of Homeland Security to issue a public warning last year about Iranian cyber threats.
“Iran and especially the proxies don’t care how big or smart you are. This is about making an impact, about creating chaos,” said James Turgal, a cybersecurity expert who spent 22 years as an FBI agent and is now a vice president at Optiv, a Denver-based information security firm.
Experts are watching to see if Russia, China or hacking groups allied with either country provide assistance to Iran. While China has taken a cautious approach, researchers at CrowdStrike detected a surge of activity from Russian hackers in support of Tehran since the war began. One group known as Z-Pentest claimed responsibility for disrupting several U.S. networks, including some involved in closed-circuit video cameras. The timing suggests the hackers were targeting U.S. interests because of the war, according to Adam Meyers, head of counter adversary operations at CrowdStrike.
“Western organizations should continue to remain on high-alert,” Meyers said.