For Iran, Retaliation Could Be Just a Retweet Away
After the U.S. killed top Iranian military general Qasem Soleimani in a January 2 drone attack, the Department of Homeland Security issued a warning Saturday about the potential for retaliation by the regime. While Iran has threatened military action in response, the U.S. warns that “Iran maintains a robust cyber program and can execute cyber attacks.”
Iran is capable of temporarily disrupting critical infrastructure in the U.S., the warning says, but the Middle East power has another tool in its cyber warfare arsenal: social media disinformation campaigns. While that kind of activity is most associated with Russia, Iran has also used Facebook, Twitter, and Instagram to stoke tensions in the U.S. and around the world.
In August 2018, Twitter announced it removed 2,617 Iranian accounts that were engaging in “malicious activity.” In May 2019, Facebook revealed that it had also removed a trove of Iranian-linked Facebook accounts, pages, and groups—as well as Instagram accounts. The social network also disclosed that it had removed Iranian-linked disinformation accounts in the previous year.
Many of the removed accounts were falsely claimed to be run by people in the U.S. and Europe. In some cases, the Iranian-linked accounts impersonated “journalists or other personas and tried to contact policymakers, reporters, academics, Iranian dissidents and other public figures,” writes Nathaniel Gleicher, head of cybersecurity policy at Facebook.
Zack Allen, director of threat operations at ZeroFOX, says many of the accounts appear to have focused on influencing U.S.-Iranian relations. They also spread messages favorable to Iran’s regime.
Some of the removed Iranian-linked pages had names such as, “No racism no war”, “Wake Up America”, and “I Need Justice Now.”
Facebook and Twitter say the “coordinated inauthentic behavior” came from within Iran, but the companies stopped short of blaming the country’s government.
“Since Iran is in the limelight right now [after the death of Soleimani], it is relatively safe to assume that they can ramp up efforts,” Allen tells Fortune. “They definitely want to shape public image of their country, and will likely desire to do so to seem strong.”
Iran’s past social media disinformation campaigns followed a familiar playbook.
“Many of these accounts replied directly to influencers on social networks, so monitoring for suspicious behavior or chatter against accounts, especially in media, will be an important security tool for organizations going forward,” Allen says.
Iran’s efforts—especially in a social media presidency where Donald Trump has been tricked into retweeting troublesome Twitter accounts to his more than 69 million followers more than once—could make an impact.
Inside Iran’s cyber playbook
According to DHS, Iran is “capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the U.S.”
“It’s clear that data-destroying attacks against corporations are within their capability,” Chris Wysopal, chief technology officer and co-founder of Veracode, tells Fortune. “I would expect the soft targets of U.S. cities and hospitals which are in the midst of a ransomware epidemic to be the easiest targets, but larger corporations are at risk too.”
Sheldon Adelson, a prominent supporter of Israel, knows first-hand how damaging Iranian hackers can be. After the casino magnate made a comment on a panel in 2013 that the U.S. could send a message to Iran about its nuclear ambitions, Iran made him pay for it—literally.
In February 2014, hackers inserted malware into the computer networks at Las Vegas Sands and leaked customer data. The casino company spent $40 million recovering data and rebuilding its infrastructure.
But since the Soleimani drone strike, Iran’s hackers have been quiet—relatively speaking. Last weekend, a group of hackers claiming to be from Iran posted a cartoon of a bloodied Donald Trump, along with a pro-Iranian message about the death of commander Soleimani, on a U.S. government website. While the hack hasn’t been confirmed as actually coming from Iran, security experts say it’s just one example of what may be to come—one small example, at that.
More must-read stories from Fortune:
—7 companies founded in the last 10 years that you now can’t live without
—Electronic health records are creating a ‘new era’ of health care fraud
—Apple, Amazon, and Google want to create a smart home standard
—What a $1,000 investment in 10 top stocks a decade ago would be worth today
—Amazon is on a collision course with employee activists outraged by the climate crisis
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.