Most all organizations knee-jerk responses to the sanctions as an immediate for Iranian cyber attacks against the US. This is not unusual for such organizations as it helps sell product and is solely based on a limited understanding of the area and a focus on so-called ‘threat intelligence.” A much larger geopolitical view is required. This is a standard response and not one based on evidence or fact but emotional responses to a US-initiated action. Iran has been targeting the United States since approximately 2002 with the formalization of certain digital security and hacking groups in Iran. Any Iranian attacks against the US would lead to exponentially more lethal attacks against Iranian targets by the US. Iran will most likely focus its efforts on suppressing any internal dissent, squashing any visible means of internal turmoil while censoring the ability of Iranian citizens to openly express their contrary viewpoints via the Internet. Treadstone 71 does not believe any attacks on US soil i.e., against critical infrastructures in the US would be productive for Iran at this time. We may see continued probes, scans, and methods of enumeration against these sites but direct attacks are not likely unless it is retaliatory (based upon other than sanction actions by the US). We may see increased cyber actions against US military capabilities in the Persian Gulf as methods of testing relative to war games in and around the Straits of Hormuz. With economic unrest and visibly upset people in Iran, Iran has more internal troubles and will likely focus their efforts there. We do not believe we will see any immediate, state-sponsored attacks against the US from Iran as a result of the sanctions at this time. This could shift and increased vigilance is still warranted.

Our Previous statement from May still holds

With more control over Iranian hackers now as opposed to the past, Rouhani may exhibit restraint thereby not playing into US hawk ‘I told you so’ pundits. Any hacks of substance coming from Iran at this time would be directed by the government but it is unlikely we will see an immediate uptick in activity based upon the already expected response from the current US Administration. Rouhani still has the ability to work China, Russia, and the EU over the existing agreement. If anything, this places the US further on the outside of global activities creating another vacuum where we once stood. Any Iranian overt and targeted hacking at this time against the US would be counterproductive to their aims.

Further to, it is possible that Rouhani detractors inside Iran could execute targeted attacks against the US as a method to discredit his administration while supporting the view from US hawks. Hardliners in Iran are not satisfied with the agreement and may do more beyond hacking to discredit Rouhani with remaining agreement members.

Additionally, adversaries of Iran could execute cyber false flag operations to make attacks look as if they originated from Iran in order to discredit the Iranian leadership as a pretext for increased sanctions and cyber actions.

Regardless, we should expect increases in reconnaissance, phishing, and social engineering actions in preparation for much larger actions. Monitoring of this activity, the locations from which they occur as well as any changes in adversary and payload speed, targeting, and maliciousness, should be increased in standard surveillance and warning actions. An increase in the ‘cyber defcon’ at least for vigilance is warranted.