14.01.2020
History of cyber attacks from Iran and Mitigation Actions against future attacks
The recently heightened tensions between the United States and Iran have resulted in an increased focus on Iran’s cyber-capabilities. With the military situation on the ground still unfolding, there is concern that threat actor groups associated with or backed by Iran may be committed to carrying out a “proxy war” via cyber attack that would allow Iran to retaliate to perceived US aggression without incurring the same penalties as overt military action. With a long history of highly-impactful campaigns, it is critical that we evaluate any potential exposure and reduce risk based on our current understanding of Iran’s capabilities.
Previous operations attributed to Iran show that they embrace a wide range of tools and attack methodologies. Everything from elderly, commodity malware (e.g., DarkComet) to highly-evasive and destructive wipers and tools (e.g., Shamoon) should be considered when speculating on any future cyber-response coming out of the region. Based on recent offensive campaigns, critical infrastructure may be of particular interest. There is no doubt that Iranian cyber threat actors are actively engaged in developing and improving their cyber warfare capabilities. Threat actors supporting and/or supported by Iran engage in a range of malicious activities. These include DDoS (Distributed Denial of Service) attacks, website defacement, and personal (PII) data theft. Iranian threat actors have also been held responsible for unleashing wiper malware and are believed to be capable of, or in the process of developing the capability of, delivering destructive attacks on physical infrastructure. According to the US Department of Homeland Security, Iran’s IRGC (Islamic Revolutionary Guard Corps) uses its own operatives and private contractors to pursue its cyber warfare agenda
High profile attacks believed to be orchestrated by Iran have targeted the energy industry, financial services and government facilities. Defense, Communications, Healthcare and Manufacturing have also been targeted by threat actor groups with links to Iran.
2011 TO MID-2013
Distributed Denial of Service attacks were used against websites belonging to 46 U.S. bank, preventing customers from accessing or servicing their accounts online. The fallout from this attack cost the banks millions of dollars. The US Department of Justice indicted seven Iranian nationals in March 2016 for conducting the attacks on behalf of the IRGC.
LATE 2013
An individual accessed supervisory control and data acquisition (SCADA) systems at the Bowman Avenue Dam in Westchester County in the fall of 2013, obtaining sensitive information critical to the operation of the dam. The US DoJ indicted an Iranian national for illegally accessing the dam and the data. The attack was believed to be connected to the DDoS attacks conducted against US banks.
EARLY 2014
An attack on the Sands Las Vegas Corporation in 2014 first exfiltrated data, including credit card, drivers license numbers and Social Security numbers before wiping the corporations computer systems. The U.S. Director of National Intelligence attributed to the attack to Iran.
2013 - 2017
Hundreds of U.S. and foreign academic institutions, as well as a large number of private sector companies, were targeted over an extended period in thefts of email credentials and intellectual property. Nine Iranian nationals were indicted by the US DoJ in March 2018 for the attacks.
2019 To Present
The Deadwood family of wiper malware was used against specific targets in Saudi Arabia during mid-2019. Microsoft analysts attributed the attack to Iran’s highly-active, APT33. In December 2019, the ZeroCleare wiper malware was found to have been used in multiple attacks against targets including Middle Eastern energy companies and firms in the industrial sector. IBM researchers attributed the attack to Iranian group APT34.
Recommended Actions
- Disable unnecessary ports and protocols. A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, ‘command & control’-like activity.
- Log and limit the use of PowerShell. If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on ‘Script Block Logging’.
- Set policies to alert on new hosts joining the network. To reduce the possibility of ‘rogue’ devices on your network, increase visibility and have key security personnel notified when new hosts attempt to join the network.
- Backup now, and test your recovery process for business continuity. It is easy to let backup policies slide, or fail to prove that you can restore in practice. Also, ensure you have redundant backups, ideally using a combination of hot, warm and cold sites.
- Step up monitoring of network and email traffic. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures. Particular focus should be placed on external-facing hosts which are being targeted by password-spraying and brute-force login attempts. Externally-exposed systems, where multi-factor authentication can not be implemented, should be monitored carefully. Attempting to compromise VPN servers without 2FA (for example) is a well-established TTP for Iranian-based actors.
- Patch externally facing equipment. Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks. Implement multi-factor authentication where necessary (ex: VPN servers).
Want to get a more detailed insight in recommended actions, known tools, threat groups and notable campaigns? You can download the free paper via the link in the reference section below