The Iranian amateurs are scoring some quick hits, while their professionals are planning. I would expect to see some major impacts from both types of adversaries.
Iranian amateurs are going to have a field day with low hanging fruit. I doubt many of them are thinking about prosecution or retaliation right now, so expect to see a lot of attacks from 5kr1p7 k1dd13z, criminals, and probably some of their legitimate professionals.
Despite, or perhaps because of sanctions against them, Iran has one of the strongest STEM education programs in the world and is heavily investing in new technology. And right now these highly capable tech people are pissed off at the US. atlanticcouncil.org/blogs/iransour…
As @hackerfantastic mentions, amateurs are working together openly, likely sharing effective practices, tools, and targets. Anonymous used this approach to impressive impact a decade ago. It’s going to lead to some big scores in a week or two.
Lower skill hackers can queue up targets for higher skill ones, in an assembly line. This develops talent in those groups. It also frees up the higher capability hackers and programmers to create tools more effective at evading defenses.
Former FBI agent @NotTruppi says he watched Iranian Hackers use a similar approach after Stuxnet and went from 5kr1p7 k1dd13z to highly capable in 12-18 months. He talks about this at around 12 minutes in his @BSidesSF talk.
This was around the time Iran was targeting US critical infrastructure, including (at the time) the most impactful DDoS attacks against banks and probing our dams for weaknesses (though the dam they are credited with hacking proved inconsequential). reuters.com/article/us-usa…
Since then, Iran has proven that they are increasingly capable and willing to do harm through hacking. For instance, the #Triton attack threatened to cause damage to public safety, and national and economic security, according to @RobertMLee. wired.com/story/triton-m… 
This follows a general trend, where high capability adversaries are increasingly willing to do harm, high intent adversaries have increasing capabilities, and it’s harder and harder to distinguish the two (this is not the same as attribution).
I anticipate we will see a lot of line blurring/crossing here, with amateurs and state-funded attackers (covertly or overtly) collaborating in the same channels and trading information. Look for a big uptick in the coming months.
One of the biggest lessons I’ve learned in the past 15-20 years is that very, very few organizations have invested in defense against a motivated adversary, let alone one that is highly capable.
Some of our most critical assets are most exposed and vulnerable. For instance, healthcare, energy, aviation, and rail rely on wildly out of date technology with trivial security. And we have been busy over the past decade or two connecting it all to the internet.
Several US federal and state websites have been defaced in the last few days, purportedly by Iranian hackers. This is only a slight uptick in such attacks.
Website defacement are common, and often easy to achieve. It’s unlikely that any web defacements are linked to state sponsored actors. There’s an archive of defaced US gov sites (and others) here. zone-h.org/archive
Also note that several of the claimed defacements don’t seem to have been defaced at all. Either the mirror didn’t snapshot it quickly enough or these are fake reports.
