Feds expect Iran’s cyber forces will target US networks after strikes on nuclear sites
Bojanikus/Getty Images
Iran has often targeted U.S. digital systems. Last year, Iranian hackers pilfered and distributed sensitive documents from inside President Donald Trump’s 2024 campaign.
Iran-linked hackers and other groups affiliated with Tehran will likely launch cyberattacks against U.S. targets in response to President Donald Trump’s order to strike three of Iran’s nuclear sites, according to a Department of Homeland Security bulletin issued Sunday.
“Low-level cyber attacks against U.S. networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against U.S. networks,” said the alert from the National Terrorism Advisory System.
The notice, scheduled to expire Sept. 22, adds that “hacktivists and Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyber attacks.”
Under orders from Trump, U.S. bombers struck the Fordow, Natanz and Isfahan nuclear facilities in Iran on Saturday night, escalating a yearslong tension between the two nations that occurred amid back and forth talks seeking to deter Tehran from acquiring a nuclear weapon. Just over a week ago, Israel launched its own incursion against Iranian military officials and scientists, on grounds that Iran was closer than ever before to having nuclear weapon capabilities.
The aim of the strikes was to destroy “Iran’s nuclear enrichment capacity” and eliminate “the nuclear threat posed by the world’s No. 1 state sponsor of terror,” Trump said Saturday night. “The strikes were a spectacular military success.”
The NTAS bulletin reflects years of observed Iranian cyberattacks targeting U.S. systems. Iran’s Islamic Revolutionary Guard Corps’s Cyber-Electronic Command and the affiliated “Cyber Av3ngers” gang were found to have breached U.S. water infrastructure in late 2023 in response to Israel’s war against Hamas.
During the 2024 election cycle, the FBI, the Office of the Director of National Intelligence and the Cybersecurity and Infrastructure Security Agency concluded that Iran stole sensitive documents from the Trump campaign and floated them to the media with the hope that they’d be published online.
Iranian hackers tend to launch distributed denial of service attacks — designed to overwhelm a webpage with bot traffic until the page crashes — against aerospace, oil, gas and telecommunications entities, Brian Harrell, a former DHS assistant secretary who served in Trump’s first term, said in a statement to Nextgov/FCW.
An Iranian hacker group on Sunday claimed responsibility for temporarily shuttering Truth Social, Trump’s signature social media platform. The denial of service attack occurred just after Trump announced the strikes on the nuclear targets.
“Iran’s cyber strategy is likely [in] cooperation with Russia, which given current tensions, could be a real possibility. Iranian capabilities have certainly increased since the ‘Shamoon’ attacks used against oil companies back in the day,” added Harrell, referring to the 2012 virus that crippled some 30,000 computers at major energy providers.
Iranian spin doctors have been found using artificial intelligence tools to spread disinformation in the U.S. and other nations. An OpenAI blog published last summer disclosed a covert campaign involving fake news websites aimed at influencing American voters, though, according to the company, the effort failed to gain significant engagement.
On Friday, the Foundation for Defense of Democracies, a D.C.-based national security think tank, uncovered an Iranian network built to help scammers impersonate Israelis on social media and post demoralizing messages in Hebrew.
“Iran has several highly-capable teams for offensive cyber operations. U.S.-based organizations should maintain vigilance and accelerate their defensive operational tempos in anticipation of retaliation,” said an industry executive with knowledge of Iranian cyber capabilities, who was granted anonymity because they were not authorized to speak publicly.
The Sunday bulletin also warned of potential physical threats inside the U.S. originating from foreign terrorist organizations or extremist groups, including calls for retaliatory violence and the targeting of people critical of Iran’s central government.
“The conflict could also motivate violent extremists and hate crime perpetrators seeking to attack targets perceived to be Jewish, pro-Israel or linked to the US government or military in the homeland,” it adds.
A pro-Israel hacking group said Wednesday it drained over $90 million from Iran’s largest crypto exchange, Nobitex, in the latest breach of the country’s financial networks. The group, known as Predatory Sparrow, also claimed responsibility for an earlier attack on Bank Sepah.
Editor's note: This article has been updated to include mention of an Iranian-aligned hacktivist group's claim that it temporarily knocked the Truth Social platform offline.