Following the news that a website operated by the U.S. government has been hacked by a group claiming to represent the government of Iran, security experts have warned that these cyber attacks could be part of Iran‘s retaliation for the US airstrike on friday that killed Revolutionary Guard General Qassem Soleimani, a top official in Iran and beloved there.
A message from the hackers left on the website read: ‘in the name of god. >>>>> Hacked By Iran Cyber Security Group HackerS … ;)<<<<<. This is only small part of Iran‘s cyber ability ! We’re always ready.’
While the USA is always a target to nationstates, organisations should be aware of a potential targeted cyberattack due to the recent actions by the US government. Organisations will want to be on alert, but not to panic. There have been no attributed attacks as of yet and while the USA is always under a cyberattack, there is a need for additional monitoring and awareness within their networks.
Respectively, organisations having a robust security program should already be actively monitoring for unusual activity. They want to be vigilant to remote access connections by making sure all supply chain access is monitored, authorised and considered valid. It\’s important for organisations to alert their human firewalls with training and education about potential attacks and a strong awareness to potential spear phishing attacks.
The US has seen attacks from various nationstates to the critical infrastructure networks in the past, like water, energy, transportation and healthcare organisations and they will want to be alert of the potential impact and take the appropriate actions.
We know APTs 33 and 34 are associated with Iranian state sponsored hackers. Every company in the SCADA and ICS space should all ready be proactive in safeguarding against these (and other) APTs; if we\’re doing our jobs right, then admins aren\’t in a state of emergency right now over the potential of Iranian implants lying dormant on our networks. It\’s also important to keep in mind US CERT\’s ongoing bulletins regarding Iranian cybersecurity threats, which consistently warn industry as to their go-to access methods – phishing attacks and password spraying. Critical infrastructure must remain vigilant and utilize security solutions such air gaping, deploying endpoint protections and training employees to spot and report social engineering and potential insider threats.
Modern military actions and warfare has transcended from purely kinetic attacks to hybrid cyber and Kinetic attacks.
It’s reasonable to expect that there will be a response on the cyber side, especially given Iran’s advanced capabilities in the space. There is the possibility they already have access to systems as part of their APT groups and may leverage these at any time with attacks on the public and private sectors.
We can also expect that non-Iranian attackers will use the emotional tensions around the situation to craft phishing attacks designed to install malware or steal credentials. This is often the case around emotionally charged situations such as this.
The gauntlet has been thrown for reasons that are hard to gauge behind a wall of information classification. The undeniable truth here is that the U.S. took action and now we the public wait and see the response. This can’t be ignored in the game of nations, and Iran\’s response will most likely include a cyber response. It would be foolish to think that Iran will simply ratchet up its offensive capabilities against the U.S. and other nations as a result of today\’s news. In fact, Iran is an intelligent cyber opponent with an army of people testing our systems every minute of every day. It is the ultimate game of cat and mouse. But in this instance, the consequences could be lasting.
Don\’t think because the headlines have been focused on impeachments and the trade war with China that covert cyber activities aren\’t going on regularly behind the scenes between these countries. Cyber is not only the poor man’s nuke for asymmetric warfare, but it is also a valid domain for causing damage all by itself. Will the response be drones on a soft target, a physical skirmish, a terrorist action or a cyber action or, most likely, a hybrid action combining two or more of these? Time will tell. One of the buzzwords making headlines in the coming days will be \’resiliency\’ and how governments and companies respond to new cyberattacks. Today, there is often too little emphasis on facing the truth that intelligent, motivated, equipped opponents will eventually succeed and that requires planning to both minimize damage and to return to normal operations as rapidly as possible. This is far too often neglected.
Given the gravity of the operation last evening we are anticipating an elevated threat from Iranian cyberthreat actors. FireEye has launched a Community Protection Event to streamline coordination on this specific threat.
We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere. Prior to JCPOA, Iran carried out such attacks against the US financial sector as well as other businesses and probed other critical infrastructure. Since the agreement and despite the erosion of relations between Iran and the US, Iran has restrained similar activity to the Middle East. In light of these developments resolve to target the US private sector could supplant previous restraint.
Iran has leveraged wiper malware in destructive attacks on several occasions in recent years. Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations. We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.