Iran likely to hit back with cyber attacks, security experts warn

Cyber security teams – particularly those with responsibility for government agencies and critical national infrastructure – should be on high alert because of the increased possibility of retaliatory cyber attacks by Iranian advanced persistent threat (APT) actors following the assassination of Qassim Soleimani in Iraq.

Soleimani, commander of Iran's Quds Force, an extraterritorial military and clandestine operations unit, was accused of masterminding terrorist attacks on US interests. He was killed by a drone strike in an extra-judicial execution conducted on the orders of US president Donald Trump on 3 January 2020.

His murder has provoked an angry reaction in the Middle East and escalated tensions in the region, with mourners filling the streets of Baghdad and Tehran at the weekend as the Iranian leadership threatened revenge, while Trump continued to lash out on Twitter.

Vectra’s head of security analytics, Chris Morales, pointed that the US and its allies have been engaged in a cyber war with Iran for more than a decade – the most notable “skirmish” probably being the Stuxnet attack on Iran’s nuclear capabilities 11 years ago.

Morales said that while Iran was not as sophisticated in its cyber capabilities as other state actors – largely because it mostly uses black-market malware as opposed to the purpose-built strains used by the US – it was more likely that any retaliation by Iran would be measured with the threat Tehran knows it faces from a US-led offensive.

“The US is well aware of Iran’s cyber capabilities and I believe (hope) a cyber strike would have been taken in consideration with the latest attack,” he said.

“In the past, Iran has primarily focused on cyber espionage theft of intellectual property against private companies. In doing so, Iranian hackers have learned how to invade private companies using available remote connection technology. I would see most of the risk here where Iran could couple destructive wiper technology similar to ransomware but with no method of recovering data.”

FireEye intelligence director John Hultquist agreed that wiper malware was likely to be a component of any cyber retaliation. “Iran has leveraged wiper malware in destructive attacks on several occasions in recent years,” he said. “Although, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations.

“We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.”

While Iranian APT groups have exercised a certain amount of restraint in the years since US president Obama signed the Joint Comprehensive Plan of Action with Tehran in 2015, Trump’s abrogation of the agreement, coupled with Soleimani’s killing, means that resolve to attack targets in the US are likely to supplant this restraint.

As a result, Hultquist predicted an uptick in activity that will primarily focus on government systems, but that disruptive, or even destructive cyber attacks on the private sector were also likely – Iran is known to have attacked financial institutions and probed the defences of critical infrastructure.

Rosa Smothers, senior vice-president of cyber operations at KnowBe4, a supplier of security awareness and training services, said it was important for security teams working on supervisory control and data acquisition (Scada) and industrial control systems (ICS) verticals to be more proactive in safeguarding against APTs, but said she hoped they were already doing so.

“If we’re doing our jobs right, then admins aren’t in a state of emergency right now over the potential of Iranian implants lying dormant on our networks,” said Smothers. “It’s also important to keep in mind US CERT [Computer Emergency Readiness Team]’s ongoing bulletins regarding Iranian cyber security threats, which consistently warn industry as to their go-to access methods – phising attacks and password spraying.

“Critical infrastructure must remain vigilant and utilise security solutions, such air-gapping, deploying endpoint protections and training employees to spot and report social engineering and potential insider threats.”

Organisations should also be vigilant around remote access to their networks by making sure all supply chain access is monitored and authorised, and to alert their human firewalls with extra training and education, said Smothers.

Hultquist’s colleague, Lee Foster, senior manager of information operations analysis at FireEye Intelligence, said Tehran was also likely to deploy online disinformation tactics to support its geopolitical objectives.

These could include: fake news sites designed to amplify pro-Iranian voices and further discredit the US; impersonating influential individuals on social media, such as presidential candidates; fabricating journalist personas; and creating networks of inauthentic social media troll accounts.

Foster said he had already noted Iranian disinformation efforts ramping up since the death of Soleimani and said the US should expect more of the same in the coming weeks.

“In a manner similar to Russia, Iran has… aggressively sought to use these tactics to directly influence the domestic politics of individual countries, including the US, and to take advantage of, and amplify, existing divisions between communities for its own ends,” he said.