The US assassination of Qassem Suleimani has increased the likelihood that a decade of cyber-hostilities between the US and Iran could escalate into true cyberwarfare, security experts have warned.
And with tensions mounting and Iran threatening "severe revenge" over the killing, concerns have arisen that blowback could come in the form of hacking attacks on critical infrastructure sectors, which include the power grid, healthcare facilities, banks and communications networks.
Iran has invested heavily in its cyber-attack forces since the Stuxnet attack in 2010 - which saw the US and Israel degrade Iran's nuclear capabilities by means of a computer virus. It has demonstrated its capabilities with attacks on US banks and a small dam, and the US has countered with attacks on an Iranian intelligence group and missile launchers.
"We've seen a little espionage and sabotage, but we haven't seen that spill over into bloodshed," Josephine Wolff, a professor of cybersecurity policy at Tufts University Fletcher School, said. "Are they equipped to take out the power grid for a major portion of the populace? From the way they are talking right now, it sounds like if they do have those kinds of capabilities, this is the moment they might consider using them."
Historically, cyber-attacks between the US and Iran have de-escalated conflict between the two countries, Wolff said, providing a means to confront one another nonviolently. The killing of Suleimani may bring an end to that pattern, however.
"Because the initial aggravation on the part of the US was not a cyber-attack, it's difficult to say what's the proportional response," she said. "We don't have a lot of norms for that."
John Hultquist, the director of intelligence analysis at cybersecurity firm FireEye, said he anticipated Iran would focus its retaliation on the private sector.
"They're going to be leveraging cyber-attack and destruction as an asymmetric means of affecting the US," Hultquist said. "We don't think they have the ability yet to manipulate systems … More likely is that they're able to mass delete systems and grind everything to a halt."
An analogous event would be WannaCry ransomware attack - attributed to North Korea - that briefly paralyzed the UK's National Health Service in May 2017.
Where and how the counterattack comes remains to be seen, but Wolff suggested that the Iranian government likely already has "footholds" in various US systems such that it could respond tomorrow if it chose to. Iran's capabilities are less sophisticated than those of China and Russia, but comparable to North Korea, she said, making it a "pretty serious adversary".
Hultquist noted : "We might have this massive advantage with a very sophisticated ability, but we also have this very sophisticated society that makes us very vulnerable to computer attacks."
Hultquist said he anticipates that Iran's counter-attack will be more focused on public disruption than financial cost. "The point of these incidents is to broadcast their resolve," he said.
Misinformation campaigns also a risk
Beyond looming cyber-attacks more overt in nature, experts also anticipate subtle misinformation campaigns from Iran. Social media giants such as Facebook and Twitter have removed thousands of accounts from Iran in recent years for spreading false propaganda.
In a transparency report released in June 2019, Twitter said it removed nearly 4,800 accounts based in Iran. More than 1,600 removed accounts had sent out nearly 2m tweets sharing "global news content, often with an angle that benefited the diplomatic and geostrategic views of the Iranian state", the report said, while others "employed a range of false personas to target conversations about political and social issues in Iran and globally".
In the hours following Suleimani's assassination, accounts tweeted false claims that a US base in Iraq was being bombed, accompanied with videos of past attacks, said Cindy Otis, a former CIA officer and fake news expert who has been monitoring the content.
"Iran is very experienced using propaganda domestically - the evolution we are seeing is that they are shifting their capabilities to deploy misinformation to foreign audiences," she said. "This only makes that evolution happen faster."
Twitter and Facebook did not immediately respond to request for comment.
Iran is also likely to intensify its intelligence gathering efforts. In October, Microsoft revealed that it had detected efforts by government-backed Iranian hackers to infiltrate Donald Trump's re-election campaign.