November 2, 2024
Iran Cyber Threat Increasing, Experts Say
Attacks Could Take Months of Planning
Although fears of an imminent U.S. military conflict with Iran have eased, cybersecurity experts cautioned the country remains an increasing cyber threat.

By Holden Mann and Rich Heidorn Jr.

Although fears of an imminent U.S. military conflict with Iran eased last week, cybersecurity experts cautioned that the country remains an increasing cyber threat with ambitions for attacks on U.S. infrastructure.

Concerns about a cyber offensive from Iranian state actors have grown since the country pledged to retaliate for the Jan. 2 U.S. drone attack that killed Maj. Gen. Qassem Soleimani, leader of the Quds Forces of the Islamic Revolutionary Guards Corps. After responding Jan. 7 with a missile attack on two bases housing U.S. soldiers in Iraq, Iranian leaders said they “do not seek escalation or war.”

But that doesn’t mean Iran won’t continue to pursue cyber warfare, which experts say it sees as a “force multiplier” against the U.S.’ more powerful military. Western intelligence agencies have identified Iran, along with North Korea, Russia and China, as the countries with the most sophisticated cyber offensive capabilities.

Iran Cyber Threat
The U.S. indicted seven Iranians with links to the Revolutionary Guard Corps for attacks on almost four dozen U.S. financial services firms over about 18 months beginning in late 2011. | FBI

News of the Soleimani attack prompted Christopher Krebs, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), to reissue the agency’s June 2019 alert that noted “a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.”

“Time to brush up on Iranian TTPs [tactics, techniques and procedures] and pay close attention to your critical systems, particularly ICS [industrial control systems],” he tweeted. “Make sure you’re also watching third-party accesses!”

“Iran maintains a robust cyber program and can execute cyberattacks against the United States,” DHS said in a terrorism threat bulletin Jan. 4. “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure.”

CISA followed with a warning Jan. 6 urging businesses to “assess and strengthen your basic cyber and physical defenses.”

Some 85% of cybersecurity experts polled by The Washington Post said the U.S. should expect serious cyberattacks from Iran in the next few months.

“It is almost a foregone conclusion that we will now see retaliatory cyberattacks on U.S. assets by Iran,” Richard Henderson, head of global threat intelligence for security firm Lastline, told SecurityWeek. “Iran has shown a demonstrated ability and propensity to go after heavy industry. Any organization with substantial ICS infrastructure should be on high alert now for potential attacks. Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure, are all caught in the crosshairs as of this moment.”

“I can’t say one way or another if Iran was contemplating a cyberattack before the U.S. strike,” Michael Daniel, CEO of the Cyber Threat Alliance and former cybersecurity coordinator under President Barack Obama, told Yahoo Finance. “What I can say is that the U.S. and other Western countries should also be prepared for the Iranians to use their cyber capabilities as part of a retaliation effort.”

After the 2015 nuclear deal it signed with the U.S. and others, Iran mainly limited its cyber efforts to the Middle East, said John Hultquist, director of intelligence analysis for security firm FireEye. In May 2018, President Trump said the U.S. would no longer honor the deal and imposed sanctions on the Iranian regime. “In light of [the Soleimani assassination], resolve to target the U.S. private sector could supplant previous restraint,” Hultquist told SecurityWeek.

DHS said it had seen “no specific, credible threats” to the U.S. since the general’s killing. But the nature of cyber warfare means it could be weeks or months before threats materialize, experts said.

Wiper Attacks

Iran has been linked to several destructive online attacks in recent years, mostly in the Middle East. Its most well known operation was the Shamoon virus, which infiltrated Saudi Arabia’s national oil company Saudi Aramco in 2012 and overwrote the hard drives of more than 35,000 computers. Restoring the affected systems took more than a week.

Such “wiper” attacks could cause major problems for utilities. However, security experts say creating widespread havoc in the North American grid by this method would take considerable effort, which has not been observed so far.

Wiper attacks require “weeks if not months of preparation and intrusion work,” Nathan Brubaker, a senior manager at FireEye, told ERO Insider. “More sophisticated targeted destructive cyberattacks would require the same intrusion activity … as well as extensive preoperational planning and significant amounts of expertise to understand a target’s industrial process and how to interact with it in order to cause a desired outcome.”

DHS’ June 2019 alert said Iranian actors and proxies were using tactics like spear phishing (emails appearing to come from a trusted sender that are intended to trick individuals into revealing confidential information), password spraying (a brute force attack in which hackers test a small number of commonly used passwords on a large number of accounts) and credential stuffing (using stolen information related to one system to try to get into other systems).

“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” DHS said, urging the use of multifactor authentication.

Facebook, Twitter and Google suspended dozens of accounts in mid-2018 for taking part in Iranian government phishing campaigns.

Pre-2015 Attacks

In addition to the 2012 Saudi Aramco attack, Iran has been blamed for the 2014 assault that took out computers, phones and email at Las Vegas Sands’ headquarters after CEO Sheldon Adelson suggested a nuclear attack on the country.

Iran also was accused of the distributed denial of services attacks that hit almost four dozen U.S. financial services firms over about 18 months beginning in late 2011. In 2016, federal officials announced they had indicted seven Iranians with links to the Revolutionary Guard Corps for the attacks, which blocked hundreds of thousands of customers from online access to their bank accounts.

In 2013, an Iranian national allegedly gained access to the supervisory control and data acquisition system for the Bowman Avenue Dam in Rye, N.Y., allowing him to monitor water levels, temperature and the status of the sluice gate. But Brubaker said this event, while significant, should not be exaggerated.

Iran Cyber Threat
In 2013, an Iranian national allegedly gained access to the SCADA system for the Bowman Avenue Dam in New York, allowing him to monitor water levels, temperature and the status of the sluice gate.

“There is a huge difference between remotely accessing a SCADA system and having enough knowledge about and access to the target’s control systems and processes to cause a specific desired outcome,” such as an explosion, Brubaker said.

For example, an intruder who wishes to cause significant damage to a nuclear facility needs a sophisticated understanding of the physics behind its operation in order to predict the results of any remotely entered command. Moreover, the attacker must be able to circumvent the plant’s independent safety systems that may intervene to return the system to normal. Neither of these is within the realm of capabilities that Iran’s cyber forces have demonstrated to date.

Security firm IronNet issued a briefing this month that identified several hacker groups believed associated with Iran.

It included a group known as Tortoiseshell, which in addition to targeting IT service providers in Saudi Arabia, has run a separate campaign targeting U.S. military veterans with a fake website purporting to help them find jobs. “This attack is believed to be a supply chain attack, enacted to enable access to the IT service providers’ customers, but it is unclear which specific customers were targeted,” IronNet said.

The group APT34, also known as the OilRig group, is believed responsible for a July 2019 campaign that used fake LinkedIn profiles purporting to belong to college faculty members. The effort was intended to build trust with targets in order to deliver malware through file attachments.

The same group was believed to have run several domain name server (DNS) hijacking campaigns in early 2019, prompting an emergency directive from CISA requiring U.S. government agencies to verify their DNS records and ensure their DNS management accounts were secured.

Last October, Microsoft reported that Iranian hackers were involved in an information operation that attempted to compromise email accounts of U.S. government officials, journalists covering political campaigns and accounts associated with a presidential campaign, later identified by The New York Times as that of Trump.

Security Apparatus Tested

Marc Child, chair of NERC’s Critical Infrastructure Protection Committee and information security program manager for Great River Energy, said the heightened concerns over Iran provided an opportunity to see how security measures play out in real-world scenarios.

“It has been interesting to watch the response from our intelligence-sharing partners. The Electricity Subsector Coordinating Council and the E-ISAC [Electricity Information Sharing and Analysis Center] really stepped up quickly to provide utilities with the information we need,” he told ERO Insider. “It feels like we’ve taken the lessons learned from GridEx and put them to immediate practice.”

FERC & Federal

Leave a Reply

Your email address will not be published. Required fields are marked *