Should U.S. banks be concerned about possible cyberattacks from Iran following the killing of its top general, Qasem Soleimani, in a U.S. drone attack in early January?
Two federal banking regulators apparently think so.
The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a joint statement on Jan. 16 — 13 days after Soleimani’s assassination — to “remind supervised financial institutions of sound cybersecurity risk management principles,” including response and resilience capabilities, strong authentication controls and securely configured systems.
Iran responded to Soleimani’s killing four days later by firing missiles at two U.S. military bases inside Iraq, but that may not be the end of the matter. A short news item in the Jerusalem Post on Feb. 2 quoted Hashim Al-Haidari, an official in the Popular Mobilization Forces, a Shiite militia group that serves as an umbrella organization for a number of Iran-backed militias operating in Iraq, as saying that Iran’s initial reprisal was just a “first slap” and that “hard revenge” was coming.
What form might that revenge take?
Iran’s missile attack was a carefully calibrated reprisal, intended to limit the possibility of a major U.S. counterattack, according to Jamil Jaffer, senior vice president for strategy, partnerships and corporate development at IronNet Cybersecurity. The Fulton, Maryland-based consulting firm was co-founded by Keith Alexander, a retired four-star Army general who was director of the National Security Agency and the first commander of the U.S. Cyber Command.
“They were very careful to control the way they responded in that one instance … but I also don’t think we’ve seen the end of the Iranian response,” Jaffer says. “They are likely to come at us again, whether that’s because they’re returning to their old behaviors or because they want to continue to respond to the killing of Soleimani — or maybe a little bit of both — but they will come back again because it’s how they operate.”
Jaffer says that Iran might respond in one of two ways (or perhaps even both). The first would be traditional terrorist attacks on overseas targets intended either to kill people or damage important infrastructure, like the September 2019 attack on Saudi Arabia’s state-owned oil company, Saudi Aramco. These direct attacks will most likely occur outside the United States and could involve U.S. allies like Saudi Arabia, a regional adversary of Iran. “I think they recognize that an attack like that, conducted inside the United States, would result in catastrophic consequences for their regime, and I don’t think they’re looking to do that,” Jaffer says.
A more likely longer-term response from Iran might be cyberattacks on targets inside the United States, including banks. Why banks? Because they are a critical component in the country’s financial infrastructure.
“Physical attacks are much more binary,” Jaffer says. “Either you go blow something up or you don’t, you kill somebody or you don’t, you attack a facility or you don’t. Cyberattacks can be ratcheted up or down in real time. You can go from a nuisance attack to destroying data and [then] back off of that. You can modify how you’re behaving, so they’re dynamically scalable in scope and nature.”
Cyberattacks also provide the source with some element of plausible deniability. “Iran wants to be seen as responding to the Soleimani attack, but they also at times want to be able to say, ‘Yeah, but it wasn’t really us.’ Even though they want you to know it was them and even though they in fact did it, they also want to be able to deny it publicly,” Jaffer explains.
Jaffer says that Iran’s cyber warfare skills should be taken seriously. “They have real capabilities,” he says. In 2014, Iran launched a highly destructive cyberattack on the Las Vegas Sands Corp., where according to Jaffer “they went in and bricked computers and deleted data.” A bricked computer is one that has been rendered useless through a cyberattack and cannot not be repaired through normal means, like installing a new operating system. Why would Iran target Las Vegas Sands? The casino company’s CEO, Sheldon Adelson, is a major supporter of Israel and once said the U.S. should consider dropping a nuclear bomb on Iran.
Between December 2011 and September 2013, Iran launched distributed denial of service attacks against 46 major U.S. financial institutions, according to a federal indictment against a group of Iranian hackers filed by the U.S. Department of Justice and the Southern District of New York. According to the indictment, these institutions incurred tens of millions of dollars in remediation costs. Banks should always be focusing on their cybersecurity defenses, of course. But the current hostilities between the U.S. and Iran, combined with Iran’s demonstrated willingness to use its cyber warfare against U.S. companies including banks, serves as a reminder that an ounce of prevention might be worth a pound of cyber cure.