; ;

Security advisories | Jan 10, 2020

UPDATE: The Potential for Iranian Cyber Response

**UPDATE**

The eSentire Security Operations Center (SOC) continues to operate with a heightened state of awareness pertaining to the evolving threat of Iranian based attacks, in addition to its continuous monitoring of known and emerging threats.

Our teams are actively monitoring reports related to events that have become known to us through our various intelligence sharing sources and will continue to take action to protect eSentire customers.

Specifically, the focus on Iranian activity has been amplified by a recent wiper malware, Dustman wiper, linked to a suspected Iranian APT group. This attack is not believed to be a direct response to the January 2nd death of the Iranian General, as it occurred on December 29, 2019.

The eSentire SOC is currently operating under the latest guidance to protect our customers from this potential threat. A separate Security Advisory on Dustman is to follow.

As noted below in Tuesday’s advisory, we recommend the following:

Customers are advised to maintain a heightened level of awareness and report suspicious activity to the eSentire SOC.

Ensure all externally facing systems are patched [1]

Refer to the Recommended Actions section of Alert (AA20-006A) from the Cybersecurity and Infrastructure Security Agency (CISA) for best security practices.

[1] https://www.us/cert.gov/ncas/alerts/aa20-01a

---

The Threat

On January 4th, 2020, the Department of Homeland Security issued an official summary of the escalation and threats to the United States following the targeted US airstrike that killed the Iranian General, Qasem Soleimani on January 2nd, 2020 [1]. Iranian leadership has promised retaliation for the strike which may take the form of both physical and cyber operations. Historically, suspected Iranian APT groups have targeted both governments and private businesses [2]. There is the possibility that organizations previously compromised by Iranian APT groups will be targeted with destructive malware, as past unidentified compromises would allow for fast retaliatory actions. eSentire has not observed any increase in attacks linked to this topic across its customer base.

What we're doing about it

  • eSentire Security Operations Center (SOC) has adopted a heightened state of awareness pertaining to the current threat of Iranian based attacks, in addition to its continuous monitoring of known and emerging threats.

What you should do about it

  • Customers are advised to maintain a heightened level of awareness and report suspicious activity to the eSentire SOC.
  • Ensure all externally facing systems are patched.
  • Refer to the Recommended Actions section of Alert (AA20-006A) from the Cybersecurity and Infrastructure Security Agency (CISA) for best security practices [2].

Additional information

  • Due to the death of the high ranking and internationally recognizable military member, General Qasem Soleimani, it is likely that Iran will respond.
    • “Iran’s defense minister, Brig. Gen. Amir Hatami, added that the attack would be met with a “crushing” response.” [3]
  • Historically, Iran has used its “… offensive cyber capabilities to retaliate against perceived harm” [2]. While it remains unclear how Iran will respond, businesses should be aware of destructive attacks such as ransomware and wipers.
    • In 2012, 2016 & 2017 the Shamoon Wiper was attributed to Iranian actors [4].
    • The Shamoon Wiper spreads across infected networks, uploads files to the attacker C2 and then wipes infected computers. This includes the master boot record, making wiped machines unusable.
  • Multiple instances of website defacement by opportunistic actors have been identified. These attacks can likely be attributed to opportunistic hacktivism rather than an organized government response.
    • On January 4th, 2019, the Federal Depository Library Program (FDLP) website was defaced to show anti-American and pro-Iranian imagery [5].
    • On January 7th, 2019, the government website for Texas agriculture was defaced to show an image of Qasem Soleimani [6].

Suspected APT Groups Linked to Iran

  • Notable Iranian threat actor groups include APT33 (Elfin Team), APT34 (Helix Kitten), and APT35 (Charming Kitten).
    • While these are the most well-known Iranian APTs, there are reports of up to 50 groups that compete for government contracts in the cyber realm. While these groups are normally hired on a case by case basis, it is possible that multiple groups will be employed at the same time to cause diverse and wide-reaching damage against American interests.
  • Less skilled but ideological Iranian actors may take this as an opportunity to engage in hacktivism. While these attacks are not sophisticated, they could still pose a risk to businesses.
APT Group Suspected APT Groups Linked to Iran TTPs
APT33

Aviation, Energy

https://attack.mitre.org/groups/G0064/
APT34

Financial, Government, Energy, Chemical, Telecommunications

https://attack.mitre.org/groups/G0049/
APT35

Energy, Government, Technology

(primarily targeting middle eastern companies/governments)

https://attack.mitre.org/groups/G0059/
APT39

Telecommunications, Travel

(Focus on information gathering)

https://attack.mitre.org/groups/G0087/
MuddyWater

Telecommunications, Government, Oil

https://attack.mitre.org/groups/G0069/

References

[1] https://www.washingtonpost.com/world/national-security/with-trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-11e9-b570-6416efdc0803_story.html

[2] https://www.us-cert.gov/ncas/alerts/aa20-006a

[3] https://www.washingtonpost.com/world/national-security/defense-secretary-says-iran-and-its-proxies-may-be-planning-fresh-attacks-on-us-personnel-in-iraq/2020/01/02/53b63f00-2d89-11ea-bcb3-ac6482c4a92f_story.html

[4] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/

[5] https://threatpost.com/hackers-deface-u-s-gov-website-with-pro-iran-messages/151559/

[6] https://twitter.com/cyberwar_15/status/1214530559558352896