Inside the Pentagon’s cyberwarfare unit, analysts have been closely monitoring internet traffic out of Iran. Six thousand miles away, Israel’s elite cyber intelligence Unit 8200 has been running war games in anticipation of Iranian strikes on Israeli computer networks.
Government and private-sector cybersecurity experts in the United States and Israel worry that President Trump’s decision to pull out of the Iran nuclear deal this week will lead to a surge in retaliatory cyberattacks from Iran.
Within 24 hours of Mr. Trump announcing on Tuesday that the United States would leave the deal, researchers at CrowdStrike, the security firm, warned customers that they had seen a “notable” shift in Iranian cyberactivity. Iranian hackers were sending emails containing malware to diplomats who work in the foreign affairs offices of United States allies and employees at telecommunications companies in an attempt to infiltrate their computer systems.
And security researchers discovered that Iranian hackers, most likely in an intelligence-gathering effort, have been quietly probing internet addresses that belong to United States military installations in Europe over the last two months. Those researchers would not publicly discuss the activity because they were still in the process of warning the targets.
Iranian hackers have in recent years demonstrated that they have an increasingly sophisticated arsenal of digital weapons. But since the nuclear deal was signed three years ago, Iran’s Middle Eastern neighbors have usually been those hackers’ targets.
Now cybersecurity experts believe that target list could quickly expand to include businesses and infrastructure in the United States. Those concerns grew more urgent Thursday after Israeli fighter jets fired on Iranian military targets in Syria, in response to what Israel said was a rocket attack launched by Iranian forces.
“Until today, Iran was constrained,” said James A. Lewis, a former government official and cybersecurity expert at the Center for Strategic and International Studies in Washington. “They weren’t going to do anything to justify breaking the deal. With the deal’s collapse, they will inevitably ask, ‘What do we have to lose?’”
Mr. Lewis’s warnings were echoed by nearly a dozen current and former American and Israeli intelligence officials and private security contractors contacted by The New York Times this week.
“With the nuclear deal ripped up, our nation and our allies should be prepared for what we’ve seen in the past,” Gen. Keith Alexander, the former director of the National Security Agency, said in an interview on Friday.
Over the years, state-backed Iranian hackers have showed both the proclivity and skill to pull off destructive cyberattacks. After the United States tightened economic sanctions against Tehran in 2012, state-supported Iranian hackers retaliated by disabling the websites of nearly every major American bank with what is known as a denial-of-service attack. The attacks prevented hundreds of thousands of customers from accessing their bank accounts.
Those assaults, on about 46 American banks, detailed in a 2016 federal indictment, were directly attributed to Iranian hackers.
Iranian hackers were also behind a digital assault on the Sands Las Vegas Corporation in 2014 that brought casino operations to a halt, wiped Sands data and replaced its websites with a photograph of Sheldon Adelson, Sands’ majority owner, with Prime Minister Benjamin Netanyahu of Israel, according to the indictment.
Security researchers believe the attacks were retaliation for public comments Mr. Adelson made in a 2013 speech, when he said that the United States should strike Iran with nuclear weapons to force Tehran to abandon its nuclear program.
But after the nuclear deal with Iran was signed three years ago, Iran’s destructive attacks on American targets cooled off. Iran’s hackers resorted to traditional cyberespionage and intellectual property theft, according to another indictment of Iranian hackers filed in March, and reserved their louder, more disruptive attacks for victims in the Middle East.
With the nuclear deal at risk, American and Israeli officials now worry Iran’s hackers could retaliate with cyberattacks of a more vicious kind. The Israeli war game sessions have included what could happen if the United States and Russia were drawn into cyberwarfare between Israel and Iran, according to a person familiar with the sessions but who was not allowed to speak about them publicly.
The United States already has a blueprint for what it might expect in Saudi Arabia, where there is growing evidence that Iranian hackers may have been responsible for a string of attacks on several Saudi petrochemical plants over the past 16 months.
The attacks crashed computers and wiped data off machines at the National Industrialization Company, one of the few privately owned Saudi petrochemical companies, and Sadara Chemical Company, a joint Saudi Aramco-Dow Chemical venture. The hackers used malware — nearly identical to the malware used in a similar 2012 Iranian assault on Aramco — that replaced data on Aramco computers with an image of a burning American flag.
Private security researchers and American officials suspect that Iranian hackers also played a role in a more serious attack at another, yet-to-be-identified Saudi petrochemical plant last August that compromised the facility’s operational safety controls. Analysts believe it was the first step in an attack designed to sabotage the firm’s operations and trigger a chemical explosion. The tools used were so sophisticated that some forensic analysts and American officials suspect Russia may have provided assistance.
The August 2017 assault in Saudi Arabia marked a dangerous escalation that put officials and critical infrastructure operators in the United States on high alert. The industrial safety controls that hackers were able to compromise in Saudi Arabia are used in tens of thousands of other installations, including nuclear plants, oil and gas pipelines and water treatment facilities across the United States.
“Iran has upped its game faster than analysts anticipated,” said Matt Olsen, the former general counsel of the National Security Agency and director of the National Counterterrorism Center. He now works closely with energy companies monitoring cyber threats as president of IronNet, a private cybersecurity company.
Mr. Olsen added that Iran “is now among our most sophisticated nation-state adversaries. We can anticipate those capabilities could well be turned against the U.S.”
American officials fear that the August 2017 attack in Saudi Arabia, which was ultimately thwarted by an error in the attackers’ computer code, was a training drill for a future attack on infrastructure or an energy company in the United States.
Similar attacks have happened before.
In 2013, Iranian hackers infiltrated computers that controlled the Bowman Avenue Dam in Rye Brook, N.Y. They managed to gain access to computers that control the dam’s water levels and flow gates, according to the 2016 indictment.
But any attempt to manipulate the dam’s locks and gates would have failed because the dam was under repair and offline. American officials believed the true target of the cyberassault was the Arthur R. Bowman Dam, a much larger dam on the Crooked River in Oregon.
The dam hack was one of about a dozen security incidents at American critical infrastructure providers, including some power grid operators, that officials in the United States attributed to Iranian hackers.
The 2016 indictments named individual Iranian hackers, but there have not been any arrests. Officials believe there is little deterrent to stop the hackers from trying again, especially with the United States leaving the nuclear deal and American businesses, including those in the financial services and the energy sectors, likely to bear the brunt of any attacks.
“Given the history of Iranian cyberactivity in response to geopolitical issues, the American energy sector has every reason to expect some type of response from Iran,” Mr. Olsen said.
General Alexander, who now serves as chief executive of IronNet, also warned that although the United States has some of the most sophisticated offensive cyber capabilities in the world, the country is at a tremendous disadvantage when it comes to playing defense.
“We’re probably one of the most automated technology countries in the world,” he said. “We are an innovation nation and our technology is at the forefront of that innovation. We could have a very good offense, but so do they. And unfortunately, we have more to lose.”