Although it stressed there is no evidence of a specific credible threat to the U.S. after the killing Iranian General Qasem Soleimani, the Department of Homeland Security Saturday issued a National Terrorism Advisory System Bulletin warning of retaliation, including cyberattacks.

Previous homeland-based plots by Iran and its partners “have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets,” the advisory said.

“Iran maintains a robust cyber program and can execute cyberattacks against the United States,” DHS warned, noting the country “is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

John Hultquist, director of intelligence analysis at FireEye, expects “an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment,” as well as “disruptive and destructive cyberattacks against the private sphere.”

Before the Joint Comprehensive Plan of Action (JCPOA), or Iran nuclear deal, was inked in July 2015, “Iran carried out such attacks against the U.S. financial sector as well as other businesses and probed other critical infrastructure,” Hulquist noted. “Since the agreement and despite the erosion of relations between Iran and the U.S., Iran has restrained similar activity to the Middle East. In light of these developments resolve to target the U.S. private sector could supplant previous restraint.”

In the past, “Iran has leveraged wiper malware in destructive attacks on several occasions in recent years,” he said.

Though Iran’s cyberactivities didn’t “affect the most sensitive industrial control systems, they did result in serious disruptions to operations,” said Hulquist, who expressed concern “that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously.”

He noted that Russia and North Korea had in the past subverted the supply chain to deploy destructive malware.

Iran also has used disinformation tactics and methods, refined over the past few years, to push its geopolitical objectives. Past “tactics have included the creation of large networks of inauthentic ‘news’ sites designed to amplify pro-Iran propaganda globally and discredit rivals, including the U.S.; the impersonation of influential individuals on social media including political candidates running for office in the U.S.; the creation of fabricated journalist personas designed to solicit interviews with political experts espousing views advantageous to Iranian interests; and the creation of networks of inauthentic social media accounts masquerading as real, politically-inclined individuals, including those based in the U.S., designed to propagate commentary critical of Iran’s political rivals,” said Lee Foster, senior manager, information operations analysis at FireEye Intelligence.

In fact, the disinformation Iranian disinformation efforts began after the airstrike that killed Soleimani. “The U.S. should expect that Iranian influence efforts surrounding the U.S. will increase over the coming days or weeks as political developments evolve,” said Foster. 

Some of Iran’s tactics mirror those of Russia, though “Iran’s efforts, in general, have been more geographically widespread than Russia’s, being directed at audiences in most parts of the globe,” he said. “They have heavily pushed traditional state propaganda and criticized geopolitical rivals, however, it is often overlooked that, in a manner similar to Russia, Iran has also aggressively sought to use these tactics to directly influence the domestic politics of individual countries, including the U.S., and to take advantage of and amplify existing divisions between communities for its own ends.”