Will Iran Target U.S. Banks?

Should U.S. banks be
concerned about possible cyberattacks from Iran following the killing of its
top general, Qasem Soleimani, in a U.S. drone attack in early January?

Two federal banking
regulators apparently think so.

The Office of the Comptroller of the Currency and the Federal Deposit Insurance Corp. issued a joint statement on Jan. 16 – 13 days after Soleimani’s assassination – to “remind supervised financial institutions of sound cybersecurity risk management principles,” including response and resilience capabilities, strong authentication controls and securely configured systems.

Iran responded to Soleimani’s
killing four days later by firing missiles at two U.S. military bases inside
Iraq, but that may not be the end of the matter. A short news item in the
Jerusalem Post on Feb. 2 quoted Hashim Al-Haidari, an official in the Popular Mobilization
Forces, a Shiite militia group that serves as an umbrella organization for a
number of Iran-backed militias operating in Iraq, as saying that Iran’s initial
reprisal was just a “first slap” and that “hard revenge” was coming.

What form might that revenge take?

Iran’s missile attack was a
carefully calibrated reprisal, intended to limit the possibility of a major
U.S. counterattack, according to Jamil Jaffer, senior vice president for
strategy, partnerships and corporate development at IronNet Cybersecurity. The Fulton,
Maryland-based consulting firm was co-founded by Keith Alexander, a retired
four-star Army general who was director of the National Security Agency and the
first commander of the U.S. Cyber Command.

“They were very careful to control the way they responded in that one instance … but I also don’t think we’ve seen the end of the Iranian response,” Jaffer says. “They are likely to come at us again, whether that’s because they’re returning to their old behaviors or because they want to continue to respond to the killing of Soleimani – or maybe a little bit of both – but they will come back again because it’s how they operate.”

Jaffer says that Iran might
respond in one of two ways (or perhaps even both). The first would be
traditional terrorist attacks on overseas targets intended either to kill
people or damage important infrastructure, like the September 2019 attack on
Saudi Arabia’s state-owned oil company, Saudi Aramco. These direct attacks will
most likely occur outside the United States and could involve U.S. allies like
Saudi Arabia, a regional adversary of Iran. “I
think they recognize that an attack like that, conducted inside the United
States, would result in catastrophic consequences for their regime, and I don’t
think they’re looking to do that,” Jaffer says.

A more likely longer-term response from Iran might be cyberattacks on targets inside the United States, including banks. Why banks? Because they are a critical component in the country’s financial infrastructure.

“Physical attacks are much more binary,” Jaffer says. “Either you go
blow something up or you don’t, you kill somebody or you don’t, you attack a
facility or you don’t. Cyberattacks can be ratcheted up or down in real time.
You can go from a nuisance attack to destroying data and [then] back off of
that. You can modify how you’re behaving, so they’re dynamically scalable in
scope and nature.”

Cyberattacks also provide the
source with some element of plausible deniability. “Iran wants to be seen as
responding to the Soleimani attack, but they also at times want to be able to
say, ‘Yeah, but it wasn’t really us.’ Even though they want you to know it was
them and even though they in fact did it, they also want to be able to deny it publicly,”
Jaffer explains.

Jaffer says that Iran’s cyber
warfare skills should be taken seriously. “They have real capabilities,” he
says. In 2014, Iran launched a highly destructive cyberattack on the Las Vegas Sands
Corp., where according to Jaffer “they went in and bricked computers and
deleted data.” A bricked computer is one that has been rendered useless through
a cyberattack and cannot not be repaired through normal means, like installing
a new operating system. Why would Iran target Las Vegas Sands? The casino
company’s CEO, Sheldon Adelson, is a major supporter of Israel and once said
the U.S. should consider dropping a nuclear bomb on Iran.

Between December 2011 and September 2013, Iran launched distributed denial of service attacks against 46 major U.S. financial institutions, according to a federal indictment against a group of Iranian hackers filed by the U.S. Department of Justice and the Southern District of New York. According to the indictment, these institutions incurred tens of millions of dollars in remediation costs. Banks should always be focusing on their cybersecurity defenses, of course. But the current hostilities between the U.S. and Iran, combined with Iran’s demonstrated willingness to use its cyber warfare against U.S. companies including banks, serves as a reminder that an ounce of prevention might be worth a pound of cyber cure.