Threat intelligence firms expect that the United States could face a new round of cyberattacks ― this time from Iran ― if White House sanctions pressure the Persian country this fall.

The Trump administration enforced economic sanctions on Iran Aug. 6 after it claimed its nuclear deal with the U.S. has not halted its aggressive activity throughout the region. Another round of American sanctions are slated for Nov. 4. Experts told Fifth Domain that Iran may retaliate in cyberspace where it can avoid a physical confrontation.

“If the United States actually sanctions Iran and they bite because the Europeans enforce them, Iran will probably lash out against the financial sector,” Ross Rustici, senior director of intelligence services at the threat analysis firm Cybereason told Fifth Domain.

“If you do a lot of business with Saudi Arabia, yes, there is always going to be a large risk. If you are in the oil and natural gas industry, yes, you’re probably going to see downstream effects depending on how our sanctions go.”

Among the factors that Iran may weigh is how many nations join the American sanctions, Rustici said. If the Trump administration can build a coalition of countries to join their regime, then Iran may respond in kind through cyberspace.

Iran is facing an economic crisis after several major international firms pulled operations from the country following the American sanctions. Iran’s economic minister was impeached Aug 26. for his mishandling of the economy.

Iranian hackers usually take three to four months to carry out an attack, Levi Gundert, vice president of intelligence at Recorded Future, told Fifth Domain during the Black Hat conference in Las Vegas. That means the Nov. 4 date for potentially another round of U.S. sanctions coincides with the timeline for an expected retaliation.

The warnings come as Iran was accused of a widespread disinformation campaign on social media.

Facebook removed 652 pages for “coordinated inauthentic behavior” that targeted the Middle East, Latin America, the United Kingdom and the United States, the company said in an Aug. 21 post. On the same day, Twitter said it had suspended 284 accounts for manipulation, many of which apparently originated from Iran. The Iranian campaign began to ramp up its focus on the United States and United Kingdom in 2017, Facebook said. The disinformation campaigns are a sign that the Iranian government is not afraid of targeting Americans.

The U.S. government considers Iran as one of its four primary adversaries in cyberspace, including China, Russia and North Korea.

Iran’s cyber program began around 2009 and has relied on simple tactics such as phishing, according to experts. In response to financial sanctions under the Obama administration, Iran was accused of launching cyberattacks against tens of dozens of American banks from 2011 to 2014. In February 2014, the Iranian government hacked the Sands Casino in Las Vegas and wiped out three-quarters of its locally based servers, according to U.S. intelligence officials and Bloomberg. It came four months after the casino’s owner, Sheldon Adelson, advocated a nuclear strike on Iran.

Judging from historical patterns, Recorded Future predicted in a May report that when it comes to this upcoming threat of Iranian cyberattacks, “the businesses likely to be at greatest risk are in many of the same sectors that were victimized by Iranian cyberattacks between 2012 and 2014 and include banks and financial services, government departments, critical infrastructure providers, and oil and energy.”

But the Iranian leaders are often weary of the hackers they employ, experts told Fifth Domain. Iran operates “with embedded paranoia, where ultimately, no one can be trusted,” Recorded Future said in their report.

“There is a web of contractors in Iran that actually do the work and carry out attacks,” Gundert said. But the cell-based structure carries risks.The left hand doesn’t know what the right hand is doing, because of these trust issues.”