The US Cybersecurity and Infrastructure Security Agency (CISA) has warned businesses and public organisations to “brush up on Iranian TTPs” (Tactics, Techniques and Procedures) and pay close attention to the cybersecurity of critical national infrastructure (CNI) as tensions escalate between the US and Iran.
CISA director Chris Krebs took to Twitter today to urge people to get familiar with common Iranian hostile cybersecurity tactics, warning that now is a good time to “pay close attention to your critical systems, particularly ICS”.
Iran itself was the victim of one of the earliest documented malware attacks on CNI, when the Stuxnet worm, widely understood to have been created by the US and Israel, crippled an Iranian nuclear research site in 2010, and experts have long warned that the increasingly connected nature of physical infrastructure — from water to energy utilities — makes it low hanging fruit in a “hot” cyberwar.
Given recent developments, re-upping our statement from the summer.
Kerbs linked to a CISA statement published last June which states that: “Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
The CISA director’s warning follows the death of top Iranian general Qassem Soleimani who was assassinated by a US drone strike that targeted his vehicle as it was being driven from a Baghdad airport in the early hours of Friday morning.
Iran Cybersecurity Threat?
The extent of the Iranian cybersecurity threat is unclear, but numerous threat actor groups have been explicitly traced back to the region.
(cont.) Two long-term U.S. security concerns: 1) Crippling lranian cyber attacks 2) Iranian sleeper cells in U.S. – lying dormant for years
Last November cybersecurity firm Trend Micro detailed research which showed the hacker group APT33, which is believed to be Iran-based, had conducted several botnet and phishing attacks against European security and energy businesses.
Trend Micro stated that: “These attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, we observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server. Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least 3 weeks in November and December 2018.”
Iranian Nationals Arrested
In February of 2018, the US Department of Justice indicted nine Iranian nationals, who were associated with the Iranian Mabna Institute, for computer intrusion offenses.
The charged individuals were found to be using email phishing attacks and password spraying, which is a term associated with an attack on an account login page that uses account user names in conjunction with commonly used passwords such as qwerty12345, month/year combos or the organisations name and a number.
Sam Curry, CSO at Cybereason told Computer Business Review: “Iran’s response will most likely include a cyber response. [But] it would be foolish to think that Iran will simply ratchet up its offensive capabilities against the U.S. and other nations as a result of today’s news. In fact, Iran is an intelligent cyber opponent with an army of people testing our systems every minute of every day. It is the ultimate game of cat and mouse. But in this instance, the consequences could be lasting.
He added: “One of the buzzwords making headlines in the coming days will be ‘resiliency’ and how governments and companies respond to new cyberattacks.”