Following the recent U.S. air strike on Iranian IRGC-Quds Force commander Qassem Soleiman and retaliatory missile strikes by the IRGC on two U.S. and coalition air bases in Iraq, there is widespread concern that organizations may face heightened cyber security threats at this time.
Although there is no current information indicating a specific, credible threat to U.S. organizations in the wake of the recent hostilities, there is no doubt that Iran-backed APTs have the intent and capability to conduct operations in the United States. Iran maintains a robust cyber warfare program that can execute attacks capable, at the minimum, of temporary disruptive effects against U.S. businesses and critical U.S. infrastructure.
Previous cyber attacks attributed to Iran range from elderly, commodity malware like DarkComet to highly-evasive and destructive wipers and tools such as Shamoon and the more recent ZeroCleare malware. Here’s a short chronology of attacks seen over the last six to seven years.
Between 2011 and 2013, Distributed Denial of Service attacks were used against websites belonging to 46 U.S. banks, preventing customers from accessing or servicing their accounts online. The fallout from this attack cost these banks millions of dollars. The US Department of Justice indicted seven Iranian nationals in March 2016 for conducting the attacks on behalf of the IRGC.
In late 2013, an individual accessed supervisory control and data acquisition (SCADA) systems at the Bowman Avenue Dam in Westchester County in the fall of 2013, obtaining sensitive information critical to the operation of the dam. The US DoJ indicted an Iranian national for illegally accessing the dam and the data. The attack was believed to be connected to the DDoS attacks conducted against US banks.
In 2014, an attack on the Sands Las Vegas Corporation in 2014 first exfiltrated data, including credit card, drivers license numbers and Social Security numbers before wiping the corporations computer systems. The U.S. Director of National Intelligence attributed to the attack to Iran.
Spanning a three year period from 2013 to 2017, hundreds of U.S. and foreign academic institutions, as well as a large number of private sector companies, were targeted over an extended period in thefts of email credentials and intellectual property. Nine Iranian nationals, believed to be part of an APT known as ‘Cobalt Dickens’ and ‘Secret Librarian, were indicted by the US DoJ in March 2018 for the attacks.
The Deadwood family of wiper malware was used against specific targets in Saudi Arabia during mid-2019. Microsoft analysts attributed the attack to Iran’s highly-active, APT33. In December 2019, the ZeroCleare wiper malware was found to have been used in multiple attacks against targets including Middle Eastern energy companies and firms in the industrial sector. IBM researchers attributed the attack to Iranian group APT34. The same group responsible for attacks on academic institutions in 2017 and earlier is also thought to be active in 2019.
Current SentinelOne Endpoint Protection users are protected against TTPs associated with known Irainian-based threat actors. Full detection and prevention is available in the current agents for known malware and tools associated with the campaigns and groups noted above. Behavioral AI engines provide an additional layer of protection against “fileless”, living-off-the land (LOTL) and other behavior-based events.
In addition, given the current climate, it’s an apt time to fortify defenses, and organizations should consider the following supplementary recommendations:
Disable unnecessary ports and protocols. A review of your network security device logs should help you determine which ports and protocols are exposed but not needed. For those that are, monitor these for suspicious, ‘command & control’-like activity.
Log and limit the use of PowerShell. If a user or account does not need PowerShell, disable it via the Group Policy Editor. For those that do, enable code signing of PowerShell scripts, log all PowerShell commands and turn on ‘Script Block Logging’. Learn more from Microsoft.
Set policies to alert on new hosts joining the network. To reduce the possibility of ‘rogue’ devices on your network, increase visibility and have key security personnel notified when new hosts attempt to join the network.
Backup now, and test your recovery process for business continuity. It is easy to let backup policies slide, or fail to prove that you can restore in practice. Also, ensure you have redundant backups, ideally using a combination of hot, warm and/or cold sites.
Step up monitoring of network and email traffic. The most common vectors for intruders are unprotected devices on your network and targeted phishing emails. Follow best practices for restricting attachments via email and other mechanisms and review network signatures.
Patch externally facing equipment. Attackers actively scan for and will exploit vulnerabilities, particularly those that allow for remote code execution or denial of service attacks.
Cybersecurity plays a mission-critical role in your organization and society-at-large. High profile attacks believed to be orchestrated by Iran have in the past targeted the energy industry, financial services and government facilities. Defense, Communications, Healthcare and Manufacturing have also been targeted by threat actor groups with links to Iran, and this was all before the current increased tensions. Whether we will see a “proxy war” fought out in cyberspace as a result of the current political climate remains to be seen, but it makes good sense for organizations to adopt what preventative measures they can sooner rather than later.
Read the Full Report: Sentinel Labs Iran Cyber-Response Bulletin