TOKYO -- International companies risk suffering collateral damage in a cyberwar between the U.S. and Iran, even if the American assassination of Iran's top general does not lead to an all-out military conflict, experts have warned.
Although both sides have backed away for now from further military action, cryptocurrency exchanges, financial infrastructure and the supply chains of American and Saudi Arabian companies are all potential targets for Iranian-backed hackers wanting to skirt U.S. sanctions and disrupt corporate and government networks.
"The Iranians have shown since 2012 that they are able to target very high value targets with disruptive cyberattacks," said Greg Austin, head of the Cyber, Space and Future Conflict Program at the International Institute for Security Studies in Singapore. "The confrontation that was already alive and escalating between the U.S. and Iran in cyberspace I think has now become a lot hotter."
Iran's most powerful security and intelligence commander, the slain General Qassem Soleimani oversaw Iran's intelligence services and the Islamic Revolutionary Guard Corps as they developed sophisticated cyberwarfare capabilities, cultivating independent groups of hackers capable of disrupting foreign governments, companies and infrastructure.
Iranian hackers have been implicated in attacks on private sector targets on numerous occasions over the past decade.
In 2012, a group calling themselves Cutting Sword of Justice claimed responsibility for a cyberattack on the Saudi Arabian state oil company Saudi Aramco, which took out 30,000 computer workstations.
Saudi Aramco staff were forced to go back to using typewriters and fax machines for almost a week, and the company's mass purchase of replacement hard drives reportedly pushed up personal computer prices.
Months after casino magnate and prominent Israel-backer Sheldon Adelson publicly suggested in 2013 that the U.S. should intimidate Iran by detonating a nuclear weapon in the desert, a malware attack on his Las Vegas Sands casino wiped out two-thirds of its servers and caused tens of millions of dollars in damage.
The U.S. government claims that both attacks were the work of Iranian hackers.
Iranian groups have also been implicated in dozens of other incidents, including denial of service attacks on American banks including Wells Fargo and Bank of America, data theft from universities across the world, and the infiltration of telecommunications networks in Pakistan, Iraq and Tajikistan.
"Coming directly at a U.S. government agency is getting tougher and tougher by the day. So they're going to look to go after proxies. Supply chains, third party vendors," said Jim Rouse, vice-president of cyber operations at Singapore-based cybersecurity company Horangi.
"And the same thing with [U.S.] allies," said Rouse. "Whether that's Iraq, or the U.K. government, or even the Japanese government, they will try to leverage those opportunities to try to find weak links in the chain."
Japan hosts U.S. military personnel, and Japan's Maritime Self-Defense Force ships are currently en route to the Middle East, after a Japanese-operated oil tanker was damaged by a mine in the Strait of Hormuz.
Experts and investigators who spoke to the Nikkei Asian Review identified numerous potential weak spots likely to be targeted by Iranian groups, including business process outsourcing and remote tech support companies that have direct access to major U.S. businesses, logistics and service providers for U.S. military bases in Asia, and even the supply chains of American technology companies.
Joint ventures with Saudi Arabian or Israeli companies, and Asian energy companies with Middle Eastern operations, could also be at risk.
Cryptocurrency exchanges are another attractive target for state-backed hackers from countries crippled by U.S. sanctions, such as Iran and North Korea, as they offer quick access to untraceable financing.
Hundreds of millions of dollars have been stolen from crypto exchanges over the past two years, including nearly $500 million from the Tokyo-based Coincheck exchange in 2018 by unknown attackers.
"I think cryptocurrency exchanges around the world are going to see an uptick in [attacks] in an attempt to get around an increase in sanctions," Rouse said.
Moreover, companies do not have to be directly targeted to be at risk of becoming embroiled in a cyber-conflict.
In 2017, a Russian group released a cyberweapon, NotPetya, in an attempt to cripple Ukraine's government agencies and private sector.
Within days the malware had spread around the world, sparking chaos at multinational companies including shipping giant Maersk, Merck Pharmaceuticals and consumer goods company Mondelez.
"It was a targeted attack on state actors that targeted Ukraine. It came down through a Ukrainian accounting software," said John Hultquist, an espionage expert at cybersecurity company FireEye iSIGHT. "The problem was that a lot of major multinationals do business in Ukraine and have that software. The result was that a lot of multinationals . . . found themselves in the crosshairs."
According to Hulquist, Iranian groups have been very active in targeting providers of industrial process control software over the past six months. If a NotPetya-style event were to happen in that sector, the collateral damage could be severe.
"It's just super-important, because they could carry out the same sort of scenario that the Russians did with NotPetya, but in this case, the users are pretty much critical infrastructure," he said.
Another concern is that groups sponsored by the Iranian government could develop cyber-weapons that will find their way onto the black market.
"The [affiliates] are going to develop offensive hacking tools to support their operations with Iran, and then they'll use those to make money in any other way," said Horangi CTO Lee Sult. "When state-sponsored tools become available to the public, you see those become rampant and in the wild."
Even though companies in the Asia-Pacific region have experienced years of growing cyber-threats, many experts believe that few are really prepared for a concerted attack.
"The level of cybersecurity that a corporation has to deliver to defend against a determined state actor is almost unachievable by even the wealthiest corporations," the IISS' Austin said. "If the Iranian government was determined to find a victim, it would find one within the space of a week."