United States government officials are warning of possible cyber-attacks from Iran after the United States military killed Qassem Soleimani, the chief of Iran’s Quds Force, in a drone strike in Baghdad last week.
While Acting Secretary of Homeland Security [Chad F. Wolf] wrote on Twitter that “there is no specific, credible threat against the homeland,” the Department of Homeland Security issued a National Terrorist Advisory System Alert stating, “Iran maintains a robust cyber program and can execute cyber attacks against the United States.” The system, which was implemented in 2011, has been used only a handful of times, underscoring the seriousness of the situation.
"Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” the alert said.
New York’s Department of Financial Services, the financial services regulator for the state, also issued an industry alert warning banks, insurers,and other businesses about the “heightened risk” of cyberattacks orchestrated by Iran.
One reason why cyberattacks are attractive as a form of response is because it doesn't care about the country's military capabilities. Success depends on how effectively attackers can design lures to compromise their targets, not who has the best missiles (or drones). The potential for damage is also broader, as attacks go beyond military targets and government systems and affect private sector businesses and regular citizens.
“The IRGC’s [Islamic Revolutionary Guard Corps] cyber wing plus Shodan, with its comprehensive listing of compromised Internet of Things (IoT) devices, should give us pause,” Chris Bronk, an assistant professor at the University of Houston’s College of Technology, wrote for Forbes.com. Bronk also warned of disinformation and propaganda operations “aimed at shaping perceptions of the American and other publics with regard to a major military intervention in Iran.”
Past Activity
Cyberattacks has been part of the ongoing conflict with Iran for the better part of the decade, especially after Israel and the US famously developed the Stuxnet to sabotage the Iranian nuclear program. Iranian groups launched multiple distributed denial-of-service attacks against bank websites in 2012 and 2013 in response to US sanctions and is believed to be responsible for the Shamoon malware which wiped the hard drives at oil giant Saudi Aramco in 2012. The malware damaged the computers to the extent that nothing could be recovered and everything had to be replaced.
In March 2018, the U.S. Department of Justice indicted the Mabna Institute and nine Iranian associates for compromising hundreds of universities to steal intellectual property and benefit financially. The government-backed cyber-espionage group (also known as Cobalt Dickens and Silent Librarian) compromised university resources to send library-themed phishing emails and to intercept researcher login credentials.
“Iran's offensive cyber capabilities have grown significantly since the 2012 days of banking sector denial of service attacks and Saudi Aramco/Shamoon destructive malware,” said Rick Holland, CISO and vice-president of strategy at Digital Shadows.
Iranian actors are known to use account takeover techniques and spear phishing to carry out their operations. They tend to rely on black market malware rather than custom-built tools. Defenders can employ security controls such as multi-factor authentication to mitigate against account takeover attempts and creating PDFs of email attachments to “defang” malicious code in booby-trapped files to stop some of these operations, Holland said.
Wiped Systems
The groups’ reliance on wiper malware to destroy as many computers as possible is an area of concern. In 2014, Las Vegas Sands was hit with a wiper after owner Sheldon Adelson suggested a nuclear strike against Iran. IBM X-Force analysts recently uncovered previously unknown malware believed to have been used by Iranian attack groups in a data-wiping attack against industrial organizations in the Middle East.
Holland said businesses concerned about being targeted can also run through wiper tabletop exercises for help with extortion and ransomware planning.
“Don’t expect DDoS this time, they won’t view it as a proportionate response,” said Hank Thomas, CEO at Strategic Cyber Ventures. While wiper attacks so far targeted private corporations in the Middle East, it wouldn’t be surprising for the groups to “take their masks off” and target the US with wiper attacks for the first time, Thomas said.
“I do not feel that Iran will care about stealth, and will want to the world to know it was them,” Thomas said.
Sowing Chaos
There are concerns the response would target civil society by attacking critical infrastructure—such as electric grids and transportation systems. Iran’s attack groups have been shifting their focus to consider ICS. Wired reported on Microsoft research identifying password-spraying attacks by Iran’s APT33 threat group against manufacturers, industrial equipment suppliers, and other firms associated with industrial control systems.
Setting up attack infrastructure, performing reconnaissance on who to target, and crafting the right kind of lures all take time, though, giving defenders time to familiarize themselves with attack methods they should look for.
Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency, wrote on Twitter that defenders needed to “brush up on Iranian TTPs and play close attention to [your] critical systems, particularly ICS.”
Low-Level Activity
Most of the activity at the moment has been minor. A number of websites have been defaced with political messages, and CyberScoop reported a series of pro-Soleimani propaganda posts have appeared on Twitter and Instagram.
The Federal Depository Library Program (FDLP) portal where copies of all government publications are kept was also defaced. The attackers most likely took advantage of the fact that the portal appeared to be running an outdated version of the Joomla content management system. The analysis of the attack suggests that this was an opportunistic attack and not part of an official government response, as the attackers “added the standard ‘lol u got owned’ bit at the bottom of the page and went off to run automated attack tools against some other sites.”
“For companies with Iranian threat actors in their threat model, like Industrial Control System operators, heightened security monitoring is essential,” Holland said.