The Potential for Iranian Cyber Response

The Threat

On January 4th, 2020, the Department of Homeland Security issued an official summary of the escalation and threats to the United States following the targeted US airstrike that killed the Iranian General, Qasem Soleimani on January 2nd, 2020 [1]. Iranian leadership has promised retaliation for the strike which may take the form of both physical and cyber operations. Historically, suspected Iranian APT groups have targeted both governments and private businesses [2]. There is the possibility that organizations previously compromised by Iranian APT groups will be targeted with destructive malware, as past unidentified compromises would allow for fast retaliatory actions. eSentire has not observed any increase in attacks linked to this topic across its customer base.

What we're doing about it

• eSentire Security Operations Center (SOC) has adopted a heightened state of awareness pertaining to the current threat of Iranian based attacks, in addition to its continuous monitoring of known and emerging threats.

What you should do about it

• Customers are advised to maintain a heightened level of awareness and report suspicious activity to the eSentire SOC.
• Ensure all externally facing systems are patched.
• Refer to the Recommended Actions section of Alert (AA20-006A) from the Cybersecurity and Infrastructure Security Agency (CISA) for best security practices [2].

Additional information

• Due to the death of the high ranking and internationally recognizable military member, General Qasem Soleimani, it is likely that Iran will respond.
  • “Iran’s defense minister, Brig. Gen. Amir Hatami, added that the attack would be met with a “crushing” response.” [3]

• Historically, Iran has used its “… offensive cyber capabilities to retaliate against perceived harm” [2]. While it remains unclear how Iran will respond, businesses should be aware of destructive attacks such as ransomware and wipers.
  • In 2012, 2016 & 2017 the Shamoon Wiper was attributed to Iranian actors [4].
  • The Shamoon Wiper spreads across infected networks, uploads files to the attacker C2 and then wipes infected computers. This includes the master boot record, making wiped machines unusable.

• Multiple instances of website defacement by opportunistic actors have been identified. These attacks can likely be attributed to opportunistic hacktivism rather than an organized government response.
  • On January 4th, 2019, the Federal Depository Library Program (FDLP) website was defaced to show anti-American and pro-Iranian imagery [5].
  • On January 7th, 2019, the government website for Texas agriculture was defaced to show an image of Qasem Soleimani [6].

Suspected APT Groups Linked to Iran

• Notable Iranian threat actor groups include APT33 (Elfin Team), APT34 (Helix Kitten), and APT35 (Charming Kitten).
  • While these are the most well-known Iranian APTs, there are reports of up to 50 groups that compete for government contracts in the cyber realm. While these groups are normally hired on a case by case basis, it is possible that multiple groups will be employed at the same time to cause diverse and wide-reaching damage against American interests.

• Less skilled but ideological Iranian actors may take this as an opportunity to engage in hacktivism. While these attacks are not sophisticated, they could still pose a risk to businesses.

References

[1] https://www.washingtonpost.com/world/national-security/with-trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-11e9-b570-6416efdc0803_story.html

[2] https://www.us-cert.gov/ncas/alerts/aa20-006a

[3] https://www.washingtonpost.com/world/national-security/defense-secretary-says-iran-and-its-proxies-may-be-planning-fresh-attacks-on-us-personnel-in-iraq/2020/01/02/53b63f00-2d89-11ea-bcb3-ac6482c4a92f_story.html

[4] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/

[5] https://threatpost.com/hackers-deface-u-s-gov-website-with-pro-iran-messages/151559/

[6] https://twitter.com/cyberwar_15/status/1214530559558352896