(U//FOUO) This Joint Intelligence Bulletin (JIB) is intended to assist federal, state, local, tribal, and territorial counterterrorism, cyber, and law enforcement officials, and private sector partners, to effectively deter, prevent, preempt, or respond to incidents, lethal operations, or terrorist attacks in the United States that could be conducted by or on behalf of the Government of Iran (GOI) if the GOI were to perceive actions of the United States Government (USG) as acts of war or existential threats to the Iranian regime. The GOI could act directly or enlist the cooperation of proxies and partners, such as Lebanese Hizballah. The FBI, DHS, and NCTC had assessed any kinetic retaliatory attack would first occur overseas. In the event the GOI were to determine to conduct a Homeland attack, potential targets and methods of attack in the Homeland could range from cyber operations, to targeted assassinations of individuals deemed threats to the Iranian regime, to sabotage of public or private infrastructure, including US military bases, oil and gas facilities, and public landmarks. USG actions may also provoke violent extremist supporters of the GOI to commit attacks in retribution, with little to no warning, against US-based Iranian dissidents, Jewish, Israeli, and Saudi individuals and interests, and USG personnel.
(U//FOUO) Immediate Response in Homeland Could Take Form of Cyber Operations
(U//FOUO) The FBI, DHS, and NCTC assess an immediate GOI response in the Homeland could take the form of attempted cyber operations against USG facilities and networks, including US military systems, and critical private sector functions, given that such operations could be attempted by Iran-based cyber actors without the necessity of establishing a US presence. The US Intelligence Community has assessed that Iran continues to prepare for cyber attacks against the United States and allies. It is capable of causing localized, temporary disruptive effects during a cyber attack on victim networks. Historically, Iran has shown the capability to carry out disruptive and destructive cyber attacks against public and private business networks, such as extended distributed denial-of-service (DDoS) campaigns and data deletion attacks.
(U//FOUO) Iran represents a cyber espionage and attack threat, using increasingly sophisticated cyber techniques and attempting to deploy cyber capabilities that would enable attacks against critical infrastructure in the United States. Tehran’s overall risk calculus for a cyber response likely will change based on the US strike, which Iranian leaders have vocally portrayed as escalatory, and offensive cyber operations are likely to be considered as retaliatory options. Malicious activity and reconnaissance may not necessarily occur from Iranian Internet Protocol (IP) space, as actors may use midpoint infrastructure in other countries. As such, traffic from Iranian IP addresses may not be indicative of malicious activity. The FBI, DHS, and NCTC stress good cyber hygiene such as patching systems and educating personnel to guard against commonly used cyber actor techniques such as social engineering and spear-phishing.
(U//FOUO) Potential for GOI-Directed Lethal Attacks in the Homeland
(U//FOUO) In recent years, the USG has arrested several individuals acting on behalf of either the GOI or Lebanese Hizballah who have conducted surveillance indicative of contingency planning for lethal attacks in the United States against facilities and individuals.
» (U//FOUO) An agent of the GOI arrested in 2018 had conducted surveillance of Hillel CenterUSPER and Rohr Chabad CenterUSPER, Jewish institutions located in Chicago, including photographing the security features surrounding the Chabad Center.
» (U//FOUO) Three Lebanese Hizballah External Security Organization (ESO) operatives arrested between 2017 and 2019 had conducted surveillance of US military and law enforcement facilities, critical infrastructure, private sector venues, and public landmarks in New York City, Boston, and Washington, DC.
(U//FOUO) The GOI also has a history of conducting assassinations and assassination attempts against individuals in the United States it deems a threat to the Iranian regime. The GOI assassinated the US-based former spokesman for the Shah of the Iran in 1980 and plotted to assassinate the Saudi Arabian ambassador to the United States in 2011. In August 2018, the USG arrested two individuals for acting as agents of the GOI by conducting covert surveillance of Iranian dissidents in New York City and Washington, DC, and the aforementioned security features of Jewish facilities in Chicago.