The United States Department of Homeland Security warned that Iranian nation-state attackers could lob malware capable of wiping hard drives and physically destroying machines against U.S. targets as the two countries remain locked in a political game of one-upmanship.
Iranian "regime actors and proxies" are targeting government agencies and certain industries with destructive wiper malware, Christopher Krebs, the director of the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) said in a statement posted on Twitter. Wipers are designed for the sole purpose of deleting data from hard drives and damaging systems to the point where the machines cannot turn on and data cannot be recovered. Groups using wipers are interested in destruction, not theft.
Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money," Krebs said. “What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.
Organizations need to shore up basic defenses, since the best defense against wipers is not to get infected. Since much of the U.S. critical infrastructure and government systems are tied up with the private sector, enterprises have to worry about the prospect of wiper malware. The threat would be most acute for organizations in the oil, gas, and energy sectors.
CISA warned that attack groups use multiple tactics such as spear-phishing, credential stuffing, and password spraying to infect the machines. The Department of Justice has charged various Iranian groups in the past for various spear-phishing campaigns against U.S. entities. Credential stuffing involves using usernames and passwords leaked by third-party services in other data breaches and trying them out on other sites, since users frequently reuse passwords. Password spraying is slightly different, as it involves using one password, say 123456, and trying them against a long list of usernames. If any of those accounts used that password, then the attackers will gain access. Turning on multi-factor authentication would help protect accounts from credential stuffing and password spraying, and some forms of spear phishing.
The digital tit-for-tat comes amidst heightened political tension between the U.S. and Iran over Iran’s nuclear capabilities. Multiple government agencies and organizations in the finance, gas, and oil sectors have reported a wave of phishing emails believed to have been sent by Iranian attack groups. After Iran shot down a U.S. surveillance drone, the United States military launched an attack against Iranian military computer systems. The attack allegedly disabled computer systems that controlled Iranian missile and rocket launchers, although the Iranian government disputed the claim.
"CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies," Krebs said.
Both Crowdstrike and FireEye have attributed the phishing campaign to APT33, a well-known group known for using destructive malware. APT33 is not the only group to use wiper, however. Past wipers include Shamoon, Black Energy, Destover, ExPetr/Not Petya and Olympic Destroyer. Shamoon crippled Saudi Arabia oil giant Aramco back in 2012 when it wiped the hard drives of 35,000 computers, and it is believed to have targeted Italian oil and gas contractor Saipem last year.
“We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe,” he said.