What types of companies could be targeted by Iranian cyberattack?

'They like to go after financial services. They like to go after energy services'

U.S. industries across the private and public sectors may be at risk of an Iranian cyberattack, but the country's intentions will determine who they target.

Cybersecurity experts and politicians are warning of a potential Iranian cyberattack against the U.S. since President Trump issued orders to kill Iranian Revolutionary Guard General Qasem Soleimani on Jan. 3.

A cyberattack is more likely than a missile or other military-style attack, experts say, because it is not only more cost-effective but also a strategic decision to avoid the kind of harmful response that an Iranian missile strike against the U.S., for example, would create. Sen. Mike Rounds (R-S.D.) told FOX Business' Stuart Varney that the U.S. is prepared for such an attack.

"We have been preparing for Iranian activity in cyberspace for a long time," Rounds said on "Varney & Co." "They like to go after financial services. They like to go after energy services and so forth, but we do have on the other side not only strong defensive capabilities, we have very strong offensive capabilities as well."


The energy and tech industries -- including tech giants like Apple and Google, as well as internet service providers like Verizon -- are two obvious targets that come to mind, according to analysts. Whatever victims Iran chooses to attack, however, will depend on whether the country is just trying to send a retaliatory message or inflict categorical damage, Heritage Foundation lead cyber analyst Klon Kitchen told FOX Business.

People walk by the Google office building on Ninth Avenue in New York. (AP Photo/Mark Lennihan, File)

"If Iran were to choose cyber means to respond to Soleimani, the needle they are going to want to thread is to respond in a way that maintains credibility" while also not making things worse for Iran in anticipation of a U.S. response, Kitchen said.

"They don't want to do something that will get missile response. They don’t want something that will escalate full military conflict. They want to make a demonstration that shows they have this kind of [cyber] capability."

Cybersecurity expert and CEO of software security company SAP National Security Services (SAP NS2) Mark Testoni said that if "Iran does launch cyberattacks, it will be based upon motivations. Historically, Iran has used DDS against financial services institutions and targeted individuals who have criticized the country. If they choose to make a statement, they may set their sights on a company or agency with many customers or constituents. The motivation here is to undermine public and consumer trust in these institutions."


If the country wants to go further by disrupting critical infrastructure, it will target the government, utilities, financial services and health care, Testoni said.

"Whatever they do will lay into the geopolitics of what is going on currently. My sense is that they do not want to lose this high ground from a PR perspective that they've created," Testoni added, pointing to the thousands of protesters who attended a funeral procession for Soleimani over the weekend during which a stampede killed at least 56 people and injured more than 200.

In this aerial photo released by an official website of the office of the Iranian supreme leader, mourners attend a funeral ceremony for Iranian Gen. Qassem Soleimani. (Office of the Iranian Supreme Leader via AP)

While Kara Frederick, technology and national security fellow at the Center for a New American Security, agreed with Testoni that Iran wants to make a display of its response to the U.S., she added that a cyberattack may not be as likely a response to U.S. aggression as some experts believe. Iran might be looking to respond in a "splashy" or kinetic way because a cyber attack might go relatively unnoticed that some other response, she said.

"Fundamentally, Iran is going to try to harness the asymmetry that the cyberworld offers," she said. "I don't think they are going to exclusively conduct a cyberattack. I think they want to respond in a more public way after Soleimani's death. They're going to look for something symbolic."

There are three main types of cyberattack routes that Iranians could use to attack the U.S. First, the country could conduct a ransomware attack, which locks everything in a device and tells the user to pay a ransom (usually in Bitcoin). This type of attack is usually done through phishing to wreak havoc and steal financial information.

"It's unlikely [Iran] will do a ransomware attack," Kitchen said. "They don't need that kind of money. I think they would be much more inclined to simply destroy that information."

This would be done through a "wiperware" attack, which destroys everything on a device and sometimes destroys the hardware on a machine. Or, such an outcome could be achieved through a "notpetya" attack, which looks like a ransomware attack but acts like a wiperware attack, Kitchen said.

Even though the chances of an Iranian cyberattack on the U.S. are higher now, Frederick said Iran is more likely to conduct probing attacks, which are instances in which Iranian hackers will "probe the system of a target but don’t necessarily pull the trigger." Those attacks would be a signal that they have capabilities to attack a system without actually attacking.

"It's a display of power," she said, adding that is such attacks take place, critical infrastructure, as well as commercial, private sector and financial targets "are fair game."

Kitchen warned that global norms have yet to be set for cyberattacks since it is such a new and developing form of offense.

"There's a massive risk of strategic miscalculation" for the kind of damage Iran could cause in the U.S., which could also initiate a "larger response from the U.S. than Iran intended to provoke," he said.

Companies' preparedness for a cyberattack will largely depend on what they have already done to secure their networks up until this point.

Mourners attend a funeral ceremony for Iranian Gen. Qassem Soleimani and his comrades, who were killed in Iraq in a U.S. drone strike on Friday, at the Enqelab-e-Eslami (Islamic Revolution) square. (AP Photo/Ebrahim Noroozi)

"Much of this will have already been decided previously," Kitchen said. "General cybersecurity posture will determine U.S. companies' ability to fight off Iranian interference. Boning up on Iranian cyber TTPs [tactics, techniques and procedures], knowing networks are patched and updated and doing real-time and active monitoring for ATPs [advanced technology programs]" will help to strengthen cybersecurity.

He added that companies must also make sure they have open lines of communication with the federal government and are able to share information so others know what to look for.


Testoni said companies can make sure they have installed "the latest technical solutions, standard firewalling and analytics capabilities" to fight against cyberthreats. He added that making sure a system is patched -- or, in other words, making sure a user's computer system and programs like Microsoft Word and Chrome have been updated -- will help block threats.

"In the last years, we've become cyber tired," Testoni said. "Things appear on and off the news relatively quickly. This is the first time this issue has been brought up to the surface in a long time. ... Now, we’ve got a state actor and a brewing situation. I'm glad there's an awareness because we need to educate people and be better prepared about cyberattacks."

Frederick, who previously worked at Facebook, also brought up the point of pro-Iranian propaganda being another form of Iranian efforts to infiltrate the U.S. through social media.

"The influence-operation component of Iranian cyber capability is a crucial aspect to consider," she said. "A lot of these tactics are used to push pro-Iranian ideology. ... This is a way they project power in the world and in the digital environment."

Frederick said individuals should look out for spearphishing as the most frequent way hackers gain access to personal devices and accounts and be aware of the current threat of cyberattacks.

Companies, she said, should invest in cybersecurity as something "central to [their] due diligence and risk management," adding that more businesses should take advantage of cybersecurity tools that the federal government provides to keep systems secure.


This story has been updated to include comments from Kara Frederick, a technology and national security fellow at the Center for a New American Security.