Comment: Notorious Iranian Hacking Crew Is Targeting Industrial Control Systems

It has been reported that one of Iran’s most active hacker groups appears to have shifted focus. Rather than just standard IT networks, they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries. At the CyberwarCon conference today, a Microsoft security researcher plans to present new findings that show this shift in the activity of the Iranian hacker group APT33, also known by the names Holmium, Refined Kitten, or Elfin.

Notify of

9 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Raphael Reich
Raphael Reich , Vice President
InfoSec Expert
November 23, 2019 8:23 pm

In today\’s hyperconnected world, discovering attack vectors such as software vulnerabilities means first discovering all of the assets in an organization\’s attacker-exposed IT ecosystem. But, many of these assets and their associated risks lurk in the shadows because they are unmanaged by the organization itself. Instead, the assets belong to cloud providers, partners, subsidiaries, etc. Finding and eliminating this shadow risk is a prerequisite to keeping attackers out of organizations.

Last edited 2 years ago by Raphael Reich
Javvad Malik
Javvad Malik , Security Awareness Advocate
InfoSec Expert
November 23, 2019 8:19 pm

Aside from something with criminals attacking companies for financial gain, there are state-sponsored and other groups engaged in espionage against specific industries and the automotive industry is no exception.

While the FBI has not offered details in its report, it is clear that these criminal actors often gain access through phishing emails or by compromising weak credentials.

As such, user awareness and training is is an essential part of protecting organisations. A strong security culture can help protect against attacks through phishing and also no reduce the likelihood that employees will use weak passwords or reuse passwords across different services.

Beyond that companies should also have good monitoring and threat detection controls in place so that if they are breached, threats can be detected and remediated in a timely manner.

Last edited 2 years ago by Javvad Malik
Moreno Carullo
Moreno Carullo , Co-founder and CTO
InfoSec Expert
November 23, 2019 8:13 pm

Governments and critical infrastructure organisations should absolutely be worried about these threats. As the lines between IT and OT become more and more blurry, cybercriminals and nation states are realising that targeting these critical OT systems can cause huge damage, especially if their end goal is chaos and disarray. Because utilities offer critical services, it will increasingly make them targets for these kind of attacks. What’s more, they often can have significant gaps in cybersecurity protection. Therefore, into 2020 and beyond, these organisations need to step up efforts and ensure they have total visibility into their OT environments, the same as they do for IT, so that they can react quickly to potential vulnerabilities and breaches of their defences.

Last edited 2 years ago by Moreno Carullo
Stuart Sharp
Stuart Sharp , VP of Solution Engineering
InfoSec Expert
November 23, 2019 8:06 pm

MFA is always the first line of defence against automated password attacks. This should be combined with enforcing strong password policies, and ideally checking passwords against known breached credentials. But even if APT33 does not succeed in accessing your environment, it can still cause damage – the side effect of password spray attacks is that accounts are locked due to too many failed password attempts. This lockout can persist for as long as the attack lasts, preventing the legitimate user from logging in.Modern SSO methods can protect against account lockout by offering passwordless login flows that prevent password spray attacks from even submitting a password in the first place.

Last edited 2 years ago by Stuart Sharp
Martin Jartelius
Martin Jartelius , CSO
InfoSec Expert
November 23, 2019 8:04 pm

Partially, the attacks as described below are crude and loud, but they seem to work. This is of course a risk and shows again that the use of multi-factor authentication is a good precaution. Anyone operating ICS networks should be careful, and worried, about the security of those devices. The worst cases are when they are exposed in such a manner that they can be reached from the internet or from networks where users are working. A few years back Outpost24 researched SCADA systems in use in Europe and within a short span of time had contacted a large set of vendors. Very few of the risks received a patch, and for those devices that did indeed receive a patch, none of the patches were rolled out to more than a fraction of the systems we are aware of. This is also one of the reasons they are high value targets for attackers, generally implanting on those systems will grant a persistent access to networks for many years to come, even if the device themselves are not used to cause damage, they are a means to gain a maintained access to networks where they are deployed.

Last edited 2 years ago by Martin Jartelius
Information Security Buzz
Would love your thoughts, please comment.x