The cybersecurity community from energy to healthcare should prepare for a virtual strike from Iran by taking several technical actions “that will likely have the highest return on investment,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said in a Monday alert.
Iran’s supreme leader, Ayatollah Ali Khameni, reportedly wants an attack to avenge the targeted killing of IRGC Quds Force commander Qassem Soleimani to be directly carried out by Iran instead of proxies, to be openly claimed and to be targeted at U.S. interests, according to a New York Times report.
That could include cyber attacks in addition to or instead of physical attacks. The CISA notice cites “Iran’s historic use of cyber offensive activities to retaliate against perceived harm,” and urges entities to adopt a state of heightened awareness, increase organizational vigilance, confirm reporting processes and exercise organizational incident response plans.
“Iranian cyber threat actors have continuously improved their offensive cyber capabilities,” said CISA. “They continue to engage in more ‘conventional’ activities ranging from website defacement, distributed denial of service (DDoS) attacks, and theft of personally identifiable information (PII), but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks.”
A cyber attack could have special symbolism for avenging an IRGC leader’s death, as “the U.S. intelligence community and various private sector threat intelligence organizations have identified the Islamic Revolutionary Guard Corps (IRGC) as a driving force behind Iranian state-sponsored cyberattacks – either through contractors in the Iranian private sector or by the IRGC itself.”
In the past, various industries have been targeted by Iran cyber operations “including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.” CISA noted the 2011-13 DDoS attack targeting the financial sector, the 2013 access attack on the Bowman Dam in Rye, N.Y., the hacking of Sands Las Vegas in February 2014, and the 2013-17 cyber theft campaign that hit 144 U.S. universities, 47 domestic and foreign private-sector companies, and multiple government agencies.
CISA recommended that entities focus on vulnerability mitigation and incident preparation to improve cyber posture. Steps include disabling all unnecessary ports and protocols, enhancing monitoring of network and email traffic, patching externally facing equipment, limiting usage of PowerShell, and ensuring backups are up to date.
The guidance also breaks down mitigations and detection recommendations for publicly known Iranian advanced persistent threat techniques: credential dumping, obfuscated files or information, data compressed, PowerShell, user execution, scripting, registry run keys/startup folder, remote file copy, spearphishing link, and spearphishing attachment.
Even with security enhancements, users should be “trained to identify social engineering techniques and spearphishing emails” with malicious links and attachments.
CISA encourages reporting any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams, at http://www.us-cert.gov/.