On April 7th, when the Cybersecurity and Infrastructure Security Agency (CISA) issued a warning that cyber actors affiliated with the Iranian regime had gained access to internet-connected programmable logic controllers (P.L.C.s), small computers used by myriad American critical-infrastructure sectors—including municipal energy, water, and wastewater agencies—to automate their systems, Operation Epic Fury was in its thirty-eighth day. April 7th was also the day that President Donald Trump declared both a “total and complete victory” over Iran and a fragile two-week ceasefire while negotiators attempted to hammer out a peace plan. The CISA advisory, which noted that the Iranian-linked cyber actors were “conducting this activity to cause disruptive effects within the United States,” was a blunt reminder that, in the digital age, the battlefield has expanded to encompass the geography of everyday life.
Conventional warfare, in which bombs are dropped, shipping channels are mined, and the Geneva Conventions apply more broadly, tends to be time-limited (even if the conflict endures for a long period of time). Nation-state hacking, in contrast, is a constant feature of geopolitics. The Iranians have been knocking around in the United States’ critical infrastructure for years. In 2013, according to the Department of Justice, a hacker affiliated with the Islamic Revolutionary Guard Corps infiltrated the control system of a dam in New York State. Ten years later, Iranian-backed hackers breached the Aliquippa, Pennsylvania, water system and gained access to the P.L.C. that controlled water pressure. (The intrusion set off an alarm, alerting workers who were able to switch to a manual system.) As Jake Braun, the executive director of the University of Chicago’s Cyber Policy Initiative, wrote recently in the Washington Post, water systems are especially vulnerable because they often lack basic cybersecurity protection.
Still, why would a government more than six thousand miles away from a suburban Pennsylvania town that has fewer than ten thousand inhabitants be poking around in a distant municipal water system? The easy answer: because it could. Small municipalities typically have neither the expertise nor the funds to adequately secure their infrastructure, leaving them open to intrusion. This enables adversaries to enter such systems to learn how they work; consider it a kind of field trip. Then, once an intrusion is discovered—perhaps by design—it generates fear beyond the borders of a small town, sending the message that an attack could happen at scale somewhere else. One need only look at what happened in the winter of 2015, when Russia-linked hackers launched a successful attack on a power grid in Ukraine, to glimpse what might happen if an adversary with access to the grid that powers, say, New York City, were to attack it. Anything that required power would go dark: homes, stores, cash machines, elevators, water pumps, traffic lights, heat.
To be clear, in this country, this is still the stuff of B-list thrillers. As Alex K. Jones, who chairs the department of electrical engineering and computer science at Syracuse University, told me, the Iranians have not unleashed what he called a Hollywood-style attack because it’s unlikely that they have the capacity to do so. (Another possible explanation is that launching a cyberattack on a major U.S. city would be an act of war that could invite an unprecedented response.) Even so, a major attack is not necessary to inflict pain. The intrusion into the industrial P.L.C. controllers mentioned in the CISA advisory resulted in business disruptions and financial losses. And it was only one of scores of hacks that, according to a number of cybersecurity firms, have been carried out, both in the lead-up to the conflict and during it. These have included distributed denial-of-service attacks, in which hackers unleash an army of bots from millions of I.P. addresses to overwhelm a server with internet traffic in order to crash the websites of companies, government agencies, and the military, causing chaos, friction, and loss of services, and at least one hack in which a health-care organization had its data held hostage for ransom. “We don’t live in a world where there is not going to be an impact on U.S. citizens at home,” James Turgal, a retired executive assistant director to the F.B.I. who is now the vice-president of Optiv, a cybersecurity consultancy based in Denver, told me. “From a cyber perspective, we’re very early on.”
In fact, weeks before the first Israeli and U.S. bombs were dropped on Iran, “threat hunter” researchers from Symantec and Carbon Black, two cybersecurity firms that are part of Broadcom, reported that the hacking group Seedworm had infiltrated the networks of an American airport, a bank, and a U.S. software company that does business in Israel as a defense and aerospace contractor. The researchers wrote that, because Seedworm already had “a presence on U.S. and Israeli networks prior to the current hostilities,” the group was in “a potentially dangerous position to launch attacks. While we have disrupted these breaches, other organizations could still be vulnerable to attack.” Bombs detonate once, but, unless cyber vulnerabilities are patched, they can remain available to malicious actors.
Seedworm, which also goes by the names MuddyWater, Static Kitten, and Mango Sandstorm, among others, is, according to the F.B.I. and CISA, a front for the Iranian Ministry of Intelligence and Security (MOIS). Employing such proxies is a common feature of state-sponsored hacking: these groups obscure a regime’s involvement and offer plausible deniability. To actually track “some guy on a keyboard in Tehran, at a particular I.P. address, at a particular moment, is very difficult,” Turgal explained, which then makes attribution challenging and retaliation tricky.
On March 11th, twelve days into Operation Epic Fury, the Handala Hack Team, which, according to the Justice Department, is another MOIS front group, allegedly unleashed a “wiperware” attack on Stryker, a Michigan-based global medical-technology company, causing disruption on thousands of devices worldwide. A post on X, apparently from Handala, stated, “We announce to the world that in retaliation for the brutal attack on the Minab school and in response to ongoing cyber assaults against the infrastructure of the Axis of Resistance, our major cyber operation has been executed with complete success.” Though no one was killed in the Stryker attack, some surgeries had to be postponed, implants could not be delivered to patients, and the company’s share price plummeted.
While disrupting the business of an American multinational company may seem a pallid response to the destruction of an Iranian primary school where more than a hundred children were killed, such asymmetric attacks in the physical and digital realms have been a feature of this conflict. As Israel and the U.S. were bombing Iran, Iran was not only attacking Qatar, the United Arab Emirates, Saudi Arabia, and other Arab states; it was launching cyberattacks against American allies in Europe and companies across the Middle East in an effort to pressure the American leadership to cease the attacks. Iran has also conducted drone strikes that damaged data centers in the region that are owned by Amazon Web Services, which operates the world’s largest cloud platform—high-value targets with major financial and operational ramifications. Alexander Leslie, a government-affairs senior adviser at the threat-intelligence firm Recorded Future, wrote in an e-mail that “Iran’s strength has long been persistence, coercive signaling . . . and techniques that create real disruption without needing exotic capabilities.”
If there are any takeaways from the CISA advisory, it’s that companies and municipalities must take steps to secure their systems and stay vigilant. Too bad, then, that three days before the U.S. and Israel struck Iran, the F.B.I. director, Kash Patel, fired dozens of people from the counterintelligence unit responsible for monitoring Iranian threats. (CNN reported that they were also responsible for investigating Trump’s classified-document haul.) Days later, Patel himself became a target of Handala, which leaked hundreds of private e-mails and photos from before his time at the Bureau. The F.B.I. director “will now find his name among the list of successfully hacked victims,” the group’s website proclaimed, alongside photographs of Patel smoking a cigar and taking a picture of himself holding a bottle of rum. (The Times reported that a spokesperson for the F.B.I. confirmed the attack, though the paper added that it appeared that the website was being hosted by a server in Russia.)
CISA, which operates under the auspices of the Department of Homeland Security, has also been decimated by the Trump Administration. In the first year of President Trump’s current term, around a third of the agency’s employees either left under pressure or were fired. The team responsible for testing the nation’s security defenses was among those pushed out. Trump’s 2027 budget, released a few days before CISA issued its current advisory, proposes to cut more than seven hundred million dollars from the agency; among other things, the budget eliminates its election-security program. (In 2024, the Iranians are thought to have targeted the campaigns of both Trump and Kamala Harris.) “Cutting its budget by $707 million, on top of what’s already been cut, is a gift to every nation-state actor that’s been quietly targeting U.S. critical infrastructure,” Seemant Sehgal, the founder and C.E.O. of BreachLock, a cyber-defense company based in New York City, told the website Nextgov.
The bombing in Iran has been paused, at least for now, but Leslie told me, “The ceasefire does not end the cyber conflict; it changes its rhythm. On our side, the leading indicators remain the same: renewed scanning, credential attacks, and opportunistic exploitation. . . . The strategic effect Iran often seeks is not just technical disruption but also uncertainty, mistrust, and political pressure.” Or, as a post on a Handala social-media account put it, “We did not begin this war, but we will be the ones to finish it. And let it be clear: The cyber war did not begin with the military conflict, and it will not end with any military ceasefire.” ♦
