Hackers looking to breach US computer networks sharply intensified their efforts following the death of Iranian military leader Qasem Soleimani, but have had limited success, according to internet security researchers and state government officials.
Soon after the strike that killed Soleimani, Iran-based attempts to hack federal, state and local government websites jumped 50% — and then continued to accelerate, said network security company Cloudflare.
Over the course of 48 hours, attacks traced to Iranian IP addresses nearly tripled against targets around the world, Cloudflare said, peaking at half a billion attempts per day.
Cloudflare CEO Matthew Prince called the increase “statistically significant” in an interview with CNN. He added that the true number of attempts was likely higher, given that the company has a limited view of the wider internet.
“That would be very atypical to happen on its own,” Prince said of the spike. “That, I think, you can safely correlate directly to the death of the Iranian general.”
Even as malicious activity increased from within Iran, attacks originating from other countries also grew, Prince said. That could indicate sophisticated Iranian attackers masking their locations, said Prince, or it could suggest that non-Iranian hackers are taking advantage of a chaotic situation.
Some of the increase in activity reflects so-called “denial of service” attacks, according to Cloudflare — efforts to shut down a site by overwhelming it with bogus traffic. But much of the spike came in the form of network probes, or hackers sniffing a target to assess its vulnerabilities.
Texas officials said Tuesday that the state’s computer systems were being scanned as often as 10,000 times per minute.
“We absolutely saw an increase in activity that needed to be blocked from Iran,” said Amanda Crawford, executive director of the Texas Department of Information Resources, in an interview with CNN.
Separately, websites belonging to the Texas Department of Agriculture and an Alabama veterans’ group were defaced this week with an image of Soleimani. The image was accompanied by a message: “Hacked by Iranian hacker.”
Over the weekend, a website belonging to the Government Publishing Office was also defaced with an image of President Donald Trump, edited to appear bloody after being punched by a disembodied fist.
Authorities are investigating the Texas Agriculture Department case, according to Maddison Jaureguito, a spokesperson for the department. Cybersecurity experts described the defacements as the work of amateurs.
“Cheesy, low budget images are a hallmark of Iranian propaganda,” said James Lewis, a senior vice president at the Center for Strategic and International Studies, a think tank. “Probably ‘patriotic hackers’ going after the only vulnerable .gov site they could find. Definitely not the A team.”
US officials have advised businesses and infrastructure operators to maintain a high alert as tensions with Iran continue. The Department of Homeland Security has issued numerous warnings, and on Saturday it updated the nation’s terror advisory system with a bulletin addressing the risk of Iranian cyberattacks.
Agency officials briefed members of Congress on Tuesday evening about Iran’s cyber capabilities and the potential vulnerabilities of American targets.
Connecticut Democratic Sen. Richard Blumenthal was among those who received the classified briefing. In an interview, Blumenthal told CNN that he left the meeting with strong concerns about ransomware — malicious software that takes computers hostage and prevents legitimate users from unlocking them.
Experts say Iran has steadily improved its capabilities in cyberspace. The country is considered a second-tier digital threat after more powerful countries such as Russia and China — still dangerous enough to be able to cause significant localized damage.
Iran in the past has been accused of shutting down bank websites and erasing data on computers belonging to the oil giant Saudi Aramco.