Iranian hackers are likely planning social engineering and phishing efforts as retaliation for the U.S. military's killing of Iranian military chief Qasem Soleimani, according to security experts in government and the private sector. But the flurry of website defacements and social media rancor over the weekend are unlikely to be important, and might not have originated from Iran at all.
On Saturday and Sunday, several websites across the globe were hit with cyberattacks that defaced them with images and slogans supportive of Soleimani. The hacked websites displayed images of a fist-punching Trump among other anti-American rhetoric. Victims included the U.S. Federal Depository Library Program and the Commercial Bank of Sierra Leone. Through a statement, the Department of Homeland Security expressed doubt these attacks were state-sponsored.
One intelligence official from the Treasury Department, who wished to remain anonymous because he is not authorized to speak to media, said the organization was not concerned with scattered online defacements, which cause little real damage and are difficult to attribute
On the contrary, he said, Treasury and other government agencies are more concerned about a heightened risk of social engineering attacks from across the Shiite world, well beyond Iran, and the possibility that other hostile nations -- like Russia or China -- may take advantage of the chaos to launch their own attacks.
Along those lines, sources from federal, state and local agencies -- including the cities of New York, Los Angeles and Houston; power authorities PSE&G in New Jersey and ConEd in New York; and the U.S. Treasury Department -- told CNBC they are warning employees to be particularly wary of unexpected or suspicious emails, phone calls, text messages or other digital contacts that may serve as an entry point for attacks, more typical of the Iranian strategy.
Experts are particularly concerned with the enormous emotional outpouring from across the Shiite Islam world, which could drive a variety of hacker collectives into action. These could include groups sponsored by Hezbollah in Lebanon and pro-government forces in Syria, as well as other sympathizers with Iran's plight. Russia has also assisted Iran in hacking efforts, and used the country as a cover to conduct its own espionage operations.
"We watched the funeral march closely, in the sense that that's a lot of emotion, that when harnessed alongside a pretty substantial cyber capability, is going to represent longer term fallout than just a few small site takedowns," the Treasury official said.
He said that experts are more concerned about a possible flurry of social engineering attempts, aimed at compromising the credentials of employees in these agencies. Social engineering typically involves gathering information about a target -- such as what he does for a living, or who her employees are -- and using that information against the individual. Often this takes the form of a phishing email, which uses the personal details to convince the recipient to click on a malicious link, thus giving the sender access to the victim's files or other information.
These compromised accounts can be used in a more damaging attack at a later time, which is why many agencies are warning employees to be increasingly vigilant about email security now.
"Homegrown violent extremists could capitalize on the heightened tensions to launch individual attacks," DHS warned in a January 4 terrorism advisory. "Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States. Be prepared for cyber disruptions, suspicious emails, and network delays."
Iran's small size and the fact that it's been relatively isolated from the import-export market has served as an advantage to the country's cyber capabilities. Practical engineering skills, to build original appliances, applications and technology in lieu of importing this tech, have been coveted for decades in Iran.
Iran also has the advantages of operating with relative ease and autonomy in launching cyberattacks, including destructive attacks, without as much incentive to cover their tracks, said Darren Van Booven, lead principal consultant at cybersecurity company Trustwave.
"In the past, whether it be contractors or other hired guns, those who conduct these types of attacks at the government direction are much less likely to experience any consequences. We can't really get into Iran to prosecute. It allows them to operate with more freedom and try different types of attacks," Van Booven said, "They're not terribly shy in terms of hiding themselves. Based on what I've seen, we haven't seen anything just yet. Actual retaliation, it's currently being thought through right now by them."