Wiper Malware, Bank Disruptions Feature in Iran’s Asymmetric Hacking Playbook
U.S. organizations face an escalated threat of cyberattack reprisal from Iran, the Department of Homeland Security warns.
Launching online attacks remains a potent tool in the Iranian government’s geopolitical playbook.
Security experts and U.S. government officials are urging American businesses and agencies to remember that as they anticipate reprisals from Iran after President Donald Trump on Thursday ordered the killing of an Iranian military leader (see: US Conflict With Iran Sparks Cybersecurity Concerns).
Major General Qasem Soleimani, leader of the foreign wing of Iran’s Islamic Revolutionary Guard Corps, was killed late Thursday night near Baghdad International Airport by a U.S. drone strike. A diplomatic crisis quickly erupted, with many Western governments rapidly moving to try to de-escalate tensions.
But U.S. officials have warned U.S. businesses to expect an escalation in online attacks launched by Iranian-allied hackers. Here are 11 key factors about the situation and how organizations must prepare.
1. Brace for Online Attack Escalation
Security and intelligence experts say Iran has the capability to launch cyberattacks against the U.S. at a time, and in a manner, of its own choosing.
“The cyberspace proxy war between the U.S. and Iran isn’t new and will escalate as a result of Soleimani’s death,” Rick Holland, CISO of San Francisco-based security firm Digital Shadows, tells Information Security Media Group.
But when this escalation will occur remains to be seen. “We’ve seen [Iran] take a very rational approach to cybersecurity attacks,” said Robert Hannigan, the former head of Britain’s Government Communications Headquarters intelligence agency, speaking at the 2018 Infosecurity Europe conference in London.
“Cyber is a very obvious weapon” for Iran, he said, pointing to the early 2010s distributed denial-of-service attacks against U.S. banks, the targeting of New York’s Bowman Dam, disrupting BBC’s Persian television channel in 2012, as well as its propensity to use wiper malware.
2. Wiper Malware Remains a Threat
Wiper malware is malicious code designed to overwrite systems or otherwise leave them unusable and unrecoverable – unless organizations have working backups (see: DHS: Conflict With Iran Could Spur ‘Wiper’ Attacks).
Iran’s propensity to lob destructive malware at targets remains a major concern for Western governments. Intelligence officials have attributed at least two such major attacks to Tehran: a 2012 attack against Saudi Aramco that destroyed 30,000 computers as well as an attack against Las Vegas Sands casino in 2014 after its owner suggested Iran should be hit by a nuclear strike.
3. Prowess: Iran Is a ‘Big Four’ Nation-State Hacker
Western intelligence agencies regularly point to four governments as posing the biggest online-attack threat to their national interests: Russia, China, North Korea and Iran.
But the “big four” do not wield equal capabilities. Last October, for example, U.K. and U.S. intelligence agencies reported that Russia had subverted an Iranian advanced persistent threat group’s attack infrastructure. In other words, the Iranians got owned by the Russians (see: Russian Hackers Coopted Iranian APT Group’s Infrastructure).
Even so, Iranian hackers have caused plenty of damage before, and could, of course, do so again. On Saturday, the Department of Homeland Security issued a terrorism threat alert, warning that Iran’s “previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber-enabled attacks against a range of U.S.-based targets.”
DHS added: “Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
4. Cyberattacks Can Express Outrage Without Triggering a War
Hacking continues to offer Iran an asymmetric way to rally its base and project force. If done carefully, it can also use hacking to express outrage, while avoiding a physical or kinetic response from its nation-state targets.
“It’s much more difficult for Iran to project physical power than it is for them to project cyber power,” Keith Alexander, the former head of U.S. Cyber Command and the National Security Agency and founder of startup IronNet Cybersecurity, tells the Wall Street Journal.
5. Iran Successfully Disrupted US Banks
The U.S. bank attacks stand as a textbook example of how to run an online attack campaign that disrupts a nation’s critical infrastructure without driving the targeted nation to respond with a declaration of war.
From December 2011 through May 2013, 46 major U.S. financial services firms were repeatedly pummeled by DDoS attacks. A supposed hacktivist group calling itself the Izz ad-Din al-Qassam Cyber Fighters – allegedly outraged over a YouTube movie trailer they said cast Islam in a negative light – claimed credit for the attacks.
Targets included Bank of America, Capital One, JP Morgan Chase and PNC as well as the New York Stock Exchange and Nasdaq – leaving hundreds of thousands of customers unable to access their bank accounts and resulting in tens of millions of dollars being spent by victimized organizations to mitigate and neutralize the attacks.
While most firms were able to mitigate the disruptions – spending tens of millions of dollars to do so – their mitigations often left large swaths of customers unable to access online banking services, the U.S. government said.
In 2016, the Justice Department unsealed indictments against seven Iranians who were allegedly working on behalf of the Iranian government, including the Iranian Revolutionary Guard Corps, charging them with perpetrating the DDoS campaign (see: 7 Iranians Indicted for DDoS Attacks Against U.S. Banks).
6. Hack Attacks Might Not Be Attributable to Iran
Attributing pro-Iran attacks to the nation’s government can be difficult. For example, hackers who work with Iran’s Islamic Revolutionary Guard Corps – be they government employees or mercenaries – might hack for the state by day, but freelance or operate without direct government approval by night (see: Cybercrime Groups and Nation-State Attackers Blur Together).
Even when attributions do get made, they can lag. Witness the Justice Department’s indictments of seven Iranians for perpetrating the DDoS disruptions against U.S. banks, which arrived via indictments that were unsealed nearly three years after the attacks stopped.
Seven Iranians charged by the U.S. government with attacking banks, via a 2016 indictment (source: Justice Department)
7. Phishing Campaigns and Information Operations Pose a Threat
Phishing also remains a well-documented tool in Iran’s online attack arsenal. In 2011, for example, Google warned some users that they were being targeted by a man-in-the-middle attack campaign being run by the Iranian government.
In August 2018, Facebook, Twitter and Google suspended accounts that they said were tied to Iranian government phishing campaigns (see: Google Suspends YouTube Accounts, Content Linked to Iran).
More recently, technology giants report that they have seen increasing attempts by Iran to run information operations, including targeting at least one 2020 U.S. presidential candidate (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign).
8. Hacktivists Are Already at Work
Over the weekend, pro-Iranian attackers already defaced a U.S. government website, likely via a vulnerability in Joomla content management system. The U.S. Department of Homeland Security says it sees no signs that the vandalism of the U.S. Federal Depository Library Program’s website was state-sanctioned (see: US Government Website Defaced With Pro-Iran Message).
9. Repeat Target: Critical National Infrastructure
The U.S. considers banking to be part of its critical national infrastructure. And on Thursday, Chris Krebs, the director of the U.S. Cybersecurity and Infrastructure Security Agency – a unit of the Department of Homeland Security that oversees security threats to critical infrastructure – reissued a June 2019 alert.
“Pay close attention to your critical systems, particularly [industrial control systems],” Krebs tweeted.
Given recent developments, re-upping our statement from the summer.
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
— Chris Krebs (@CISAKrebs) January 3, 2020
10. Iran Tied to Intellectual Property Theft
Iran also hasn’t shied away from using hacking to steal valuable information. In early 2018, U.S. and British intelligence agencies tied hack attacks to Iran’s Mabna Institute, saying that they’d targeted universities around the world, stealing intellectual property from universities. A Justice Department indictment charged nine Iranian nationals with stealing more than 31 terabytes of data from 320 universities in 22 countries – including 144 U.S. institutions – as well as multiple businesses and government agencies (see: Britain Backs US Hacking Allegations Against Iranians).
U.S. officials say attacks targeting intellectual property and seeking to subvert supply chains, including attacks launched by Iran, have continued to increase (see: Feds Urge Private Sector ‘Shields Up’ Against Hackers).
11. Defenders Must Focus on the Basics
To defend against Iranian APT groups or any other threat, experts say organizations must ensure they have focused on the basics.
“In times like these, it’s important to make sure you’ve shored up your basic defenses, like using multifactor authentication, and if you suspect an incident – take it seriously and act quickly,” CISA’s alert says.
Many hackers – be they part of criminal gangs or nation-state APT groups, or simply bored teenagers – use the same, basic tactics to own targeted systems. “These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing,” CISA’s alert says (see: How Can Credential Stuffing Be Thwarted?).
“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” CISA says.