On Friday, President Trump announced that he will not certify Iran’s cooperation with the 2015 nuclear agreement negotiated by the Obama Administration. The move doesn’t eliminate or rework the deal, possibilities its proponents feared given Trump’s longstanding criticism of the agreement. But it does kick the accord to Congress for reconsideration.
There, lawmakers could leave the agreement the same, impose tweaks, or go all the way to reinstating sanctions against Iran, effectively ending the deal.
The fulfillment of Iran’s nuclear ambitions remain years away even if this deal falls apart, but Trump’s actions also raise questions about whether increased tension will in turn lead to increased Iranian cyber operations. Observers say that while the current diplomatic instability likely won’t impact Iran’s hacking purview, further decisions—particularly around sanctions—could fuel offensive plans directed at the United States.
Iranian hackers were very active in targeting US and European targets a few years ago, launching waves of powerful DDoS attacks against dozens of financial institutions in 2011 and 2012, and laying groundwork for possible critical infrastructure attacks, including against a dam in New York state. Though these initiatives haven’t completely abated, experts note that the country has seemingly shifted its focus in the past couple of years, turning to largely Middle Eastern targets like Saudi Arabia. Solidifying the nuclear agreement in 2015 may not have been the direct cause of the shift, or even related. But experts say it seems as though Iran has taken the last few years to centralize and organize its hacking initiatives, adding more government control and developing more sophisticated operations.
“One could argue that because we had this deal in place maybe they had some motivation to not be aggravating,” says Isaac Porche, a senior engineer and the director of the Homeland Security Operational Analysis Center at the RAND Corporation. “But their actions have already been in the US, and Iran has been implicated in attacks on other countries. So they made a decision some time ago to be active.”
And evidence indicates that Iran’s more focused government investments have paid off. Reports about an elite hacking group, called Advanced Persistent Threat 33 by the security firm FireEye, say that Iranian hackers have breached numerous aerospace, defense, and petrochemical companies around the world over the last 18 months. The group, which may have been originally founded in 2013, notably carried out recent reconnaissance and malware distribution attacks in the US, South Korea, and Saudi Arabia.