View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 3, 2020updated 05 Jan 2020 7:52pm

Top US Security Official: “Brush Up” on Hostile Online Iranian Tactics

"Make sure you’re also watching third party accesses!"

By CBR Staff Writer

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned businesses and public organisations to “brush up on Iranian TTPs” (Tactics, Techniques and Procedures) and pay close attention to the cybersecurity of critical national infrastructure (CNI) as tensions escalate between the US and Iran.

CISA director Chris Krebs took to Twitter today to urge people to get familiar with common Iranian hostile cybersecurity tactics, warning that now is a good time to “pay close attention to your critical systems, particularly ICS”.

Iran itself was the victim of one of the earliest documented malware attacks on CNI, when the Stuxnet worm, widely understood to have been created by the US and Israel, crippled an Iranian nuclear research site in 2010, and experts have long warned that the increasingly connected nature of physical infrastructure — from water to energy utilities — makes it low hanging fruit in a “hot” cyberwar.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Kerbs linked to a CISA statement published last June which states that: “Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”

The CISA director’s warning follows the death of top Iranian general Qassem Soleimani who was assassinated by a US drone strike that targeted his vehicle as it was being driven from a Baghdad airport in the early hours of Friday morning.

Iran Cybersecurity Threat?

The extent of the Iranian cybersecurity threat is unclear, but numerous threat actor groups have been explicitly traced back to the region.

Last November cybersecurity firm Trend Micro detailed research which showed the hacker group APT33, which is believed to be Iran-based, had conducted several botnet and phishing attacks against European security and energy businesses.

Trend Micro stated that: “These attacks have likely resulted in concrete infections in the oil industry. For example, in the fall of 2018, we observed communications between a U.K.-based oil company with computer servers in the U.K. and India and an APT33 C&C server. Another European oil company suffered from an APT33 related malware infection on one of their servers in India for at least 3 weeks in November and December 2018.”

Iran cybersecurity

Schema showing the multiple obfuscation layers that APT33 uses Credit: Trend Micro

Iranian Nationals Arrested

In February of 2018, the US Department of Justice indicted nine Iranian nationals, who were associated with the Iranian Mabna Institute, for computer intrusion offenses.

The charged individuals were found to be using email phishing attacks and password spraying, which is a term associated with an attack on an account login page that uses account user names in conjunction with commonly used passwords such as qwerty12345, month/year combos or the organisations name and a number.

Sam Curry, CSO at Cybereason told Computer Business Review: “Iran’s response will most likely include a cyber response. [But] it would be foolish to think that Iran will simply ratchet up its offensive capabilities against the U.S. and other nations as a result of today’s news. In fact, Iran is an intelligent cyber opponent with an army of people testing our systems every minute of every day. It is the ultimate game of cat and mouse. But in this instance, the consequences could be lasting.

He added: “One of the buzzwords making headlines in the coming days will be ‘resiliency’ and how governments and companies respond to new cyberattacks.”

See Also: Citrix Data Breach: Were “Iranians” or “International Cyber Criminals” to Blame?

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.