President Trump may have pulled back at the 11th hour from airstrikes on Iranian radar and military targets, but U.S. Cyber Command did hit cyber targets within the Iranian intelligence apparatus last week.

The U.S. cyberattacks, okayed by the president, hit systems within the Iranian intel network, the Wall Street Journal reported, and came as officials expressed concern that Iran would launch offensive cyber actions of its own against the U.S.

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” Department of Homeland Security (DHS) Cybersecurity and Information Security Agency (CISA) Director Christopher Krebs warned in a statement tweeted out Saturday. “These efforts are often enabled through common tactics like spearphishing, password spraying and credential stuffing.”

Security researchers have found evidence of that activity. “FireEye has identified spear phishing activity conducted by Iranian threat actor APT33 concurrent with increasing tension in the Gulf region and with the U.S.,” said John Hultquist, the company’s director of intelligence analysis. “The spearphishing campaign has targeted both public and private sectors in the U.S. This activity is consistent with intelligence collection, and the Iranian regime is also likely to be using cyberespionage to reduce the uncertainty surrounding the conflict. Notably, APT33 has historically carried out destructive cyberattacks in addition to intelligence collection.”

Before a coalition of countries inked the Iranian deal, or JCPOA “Iranian actors carried out destructive and disruptive attacks on multiple U.S. targets,” but in more recent years, the attacks “have primarily taken place in the Middle East, targeting private sector organizations such as oil and gas firms,” he said, noting with the ability to launch “destructive and disruptive cyberattacks,” Iran “cause economic damage without significantly escalating the conflict, similar to its previous sabotage of maritime organizations.”

But if the U.S. is launching cyberattacks attacks against Iran, the country “may use their own capability as a means of proportionate response,” said Hultquist. “Though a U.S. action may have been constrained to military targets, Iran may choose to strike softer targets where it has an asymmetric advantage.”

Rep. Bennie G. Thompson (D-MS), chairman of the Committee on Homeland Security, who echoed Krebs’s warning, urged “CISA to assess whether it has the capacity to meet the increased demand for its services that this alert is likely to spur.”

Contending that “defending government networks and private sector industries will require that the full resources of the federal government are brought to bear to complement private sector efforts,” Thompson said he is “committed to working with CISA to ensure” it’s positioned “to carry out its important mission.”

Cyber Command was granted new powers last year under the John S. McCain National Defense Authorization Act for Fiscal Year 2019, which also gave the defense secretary the ability to run “clandestine military activity” to counter cyberattacks.

Just last week a report claimed that Cyber Command and the U.S. military took advantage of those new powers by ramping up a secret program that inserted malware into the nation-state’s power grid, but didn’t brief President Trump over concerns that he might shutter the program or leak information about it to foreign governments.

“The digital strike against Iran is a great example of using #CyberCommand as a Special Ops force, clearly projecting U.S. power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus,” said Phil Neray, vice president of industrial cybersecurity for CyberX.