Peace deal unlikely to stem Iran’s hackers, US officials say

The preliminary U.S.-Iran agreement reached over the weekend likely won’t stop cyber operations launched by Tehran and Iran-aligned hacking groups at American systems, five current and two former U.S. officials told Nextgov/FCW.

Most of them were granted anonymity because they were not authorized to publicly discuss forward-looking perspectives of Iranian cyber activity after the agreement.

Cyber conflict is “definitely part of warfare that keeps going” and is pretty “accepted” as an “ongoing normal course of business,” one of the officials said, adding that cyber activity may decelerate, but that it “definitely won’t stop.”

There is “no chance” Iran and any affiliated parties would cease or slow down in cyberspace, a second official opined.

Hacking activity could decrease temporarily, said one of the former officials, but if pro-Iran hacking collectives don’t like any finalized resolution, they may conduct cyberattacks to express their issues, as Iran’s central government doesn’t always have the best control of these groups.

“There has always been anti-U.S. activity” from such “hacktivist” groups that align with Iran but aren’t backed by the regime directly, this former official added.

Their outlook aligns with past conclusions that cyber operations continue regardless of the status of a given conflict and that U.S. cyber teams have remained on alert for Iranian-linked activity against American networks as Washington pursues a diplomatic solution with Tehran.

Since the war broke out Feb. 28, experts expected the conflict would greatly test U.S. cyber defenses. What followed was a series of apparent Iran-linked cyber incidents, including an attack on medical technology giant Stryker, the targeting of FBI Director Kash Patel’s personal email account and various warnings from federal agencies about cyber intrusions on U.S. critical infrastructure.

On June 11, the California Water Service said it was investigating claims that Iranian hackers breached its systems. An assessment from Dataminr concluded that the group may have reached a customer billing database belonging to the utility. Nextgov/FCW also obtained a screenshot that appeared to show a customer billing account receipt accessed by the hackers.

A spokesperson said Tuesday that there are “no known operational disruptions” to water, wastewater and billing systems, and that it was working with state and federal government officials in its investigation. 

The preliminary U.S.-Iran memorandum reached Sunday aims to halt nearly four months of fighting and set up a formal signing in Geneva later this week. But the agreement leaves major disputes unresolved, including regional flashpoints involving Israel and Hezbollah. It also appears to leave out mentions of cyber.

“The Iranians have targeted U.S. assets with malicious cyber activity for the last 15 years with espionage and some prepositioning for disruptive attacks,” said Meredith Burkart, the FBI’s former chief of cyber policy. “Unless there has been a material change in their cyber workforce, or a cyber specific component of the deal was reached, I would expect such targeting to continue.”

“I don’t know if these deals really ever include minimizing cyber activity,” another one of the current officials told Nextgov/FCW. Certain targets may be deemed off limits, “but we’ve always seen activity” continue in the digital space, added the official.

The deal also remains fragile, even on its central nuclear terms. CIA Director John Ratcliffe and others raised concerns about Iran’s willingness to make the nuclear concessions Washington wants in a final agreement, Axios reported Tuesday.

Tehran’s hackers have grown more organized, more coordinated and more willing to use artificial intelligence for influence operations in recent months — and have demonstrated many of those capabilities since the war with Iran began, Israel’s top cyberdefense official told Nextgov/FCW last month.

The U.S. intelligence community assessed this year that Iran and affiliated proxy groups remain a persistent cyber threat to American networks and critical infrastructure, and they intend to target the U.S. and its allies.