Following the recent U.S. operation in Iraq which resulted in the killing of Iranian General Qassem Soleimani, Iran warned that it will retaliate. Although the international community and both involved countries have taken steps to deescalate the crisis, it is always prudent to stay alert and continually update your cybersecurity programs regardless of whether the opponent is a state actor or just a common cybercriminal. That is the key message of two security bulletins issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the DHS National Terrorism Advisory System. More specifically, CISA recommends that organizations adopt a state of heightened awareness, increase organizational vigilance, confirm reporting processes, and exercise organizational incident response plans. At the same time, DHS recommends that organizations be prepared for cyber disruptions, suspicious emails, and network delays and that they implement basic cyber hygiene practices.It remains to be seen whether Iran will indeed use cyber-attacks to retaliate against the United States.
Background Information on Iranian Cyber ActivityDHS notes that “at this time we have no information indicating a specific, credible threat to the Homeland.” However, “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” states the DHS security bulletin. Further, CISA states that Iran continues “to engage in more “conventional” activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.” Offensive cyber operations targeting a variety of industries and organizations, including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base, have been attributed or allegedly attributed to the Iranian government, says the CISA alert bulletin. As outlined in the bulletin, the most notable high-profile attacks attributed to Iran are the following:
- Late 2011 to mid-2013: DDoS attacks against 46 victims, primarily in the U.S financial sector, which resulted prevented customers from accessing their accounts and cost the banks millions of dollars in remediation.
- August/September 2013: Security breach at a critical infrastructure facility. An Iranian was accused of illegally accessing the Supervisory Control and Data Acquisition (SCADA) systems of the Bowman Dam located in Rye, New York, and obtaining information regarding the status and operation of the dam.
- February 2014: Breach of Sands Las Vegas Corporation in Las Vegas where customer data including credit card details, Social Security Numbers, and driver’s license numbers were stolen and, according to a Bloomberg report, some computers were wiped.
- 2013 to 2017: Nine Iranian nationals allegedly stole more than 31 terabytes of documents and data from “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”
How to Mitigate ThreatsThat uncertainty doesn’t mean organizations can’t take steps to strengthen their digital security in general. Regardless of whether the threat is coming from Iran or any other state actor or by your next-door criminal, it is always advisable to be prepared and to be vigilant. The headlines are awash with news of security breaches and incidents involving all kinds of organizations from critical infrastructure to schools, hospitals, and bicycle manufacturers. Being negligible and ignorant is not a wise thing to do. To be in line with the CISA and DHS general recommendations, organizations should discuss and set aside budget for employee training, awareness and incident response planning. Apart from cultivating a security culture with your organization, it is important to take advantage of the available threat intelligence and prepare yourself accordingly. CISA has provided recommendations that span from basic hygiene practices to mitigation and detection of known Iran-attributed APT techniques. Your basic cyber hygiene practices should include the following:
- Disable all unnecessary ports and protocols.
- Enhance monitoring of network and email traffic.
- Patch externally facing equipment.
- Log and limit usage of PowerShell.
- Ensure backups are up to date and stored in an easily retrievable location.