Possible Iranian Cyber Threats and Events
Advanced Persistent Threats (APT) is a general term to describe government-sponsored hackers or hacking groups. Iran maintains a robust hacking group which has been responsible for many significant hacking events around the world. The APT associated with Iran has names such as APT33, APT34, OilRig, and Helix Kitten. Last year the targets of several Iranian APT hacks were disclosed in an anonymous post which identified airports, airlines, courts, government offices, and other sites and businesses.
In particular, the hacking events have escalated since the US strike against Iranian Major General Qasem Soleimani. The increased attacks have included:
- Websites of several government entities were targeted;
- Misinformation has been posted and spread through social media;
- A number of threat-sharing groups have issued alerts for Iranian hackers; and
- S. lawmakers were briefed on the possibility of an Iran cyber-attack.
Iranian hackers over the years have targeted various utilities, factories, and oil and gas facilities in the US. They have been studying the playbooks of other significant APT groups including those sponsored by Russia and China.
Given the latest spate of ransomware attacks on local and county governments, schools, and private entities, we can deduce how vulnerable such organizations are to a cyber-attack. The Iranian APT may very well target such organizations using a wide array of techniques from the most common techniques, such as phishing or spear phishing or a DDOS attack, up to sophisticated hacking using zero-day exploits or cross-site scripting.
These APT attacks by can be even more devastating than ransomware because the attackers are not driven monetary motivation like ransomware hackers. Iranian hackers in the past have attacked companies and destroyed the data on the hard drives without warning. The destruction of the data in such a manner leaves no possibility of recovery without timely backups. In an attack on the Sands Casino in 2014, attributed to Iranian hackers, the hack resulted in the wiping of computer hard drives which resulted in the loss of data and servers which cost the casino approximately $40 million USD.
In addition to the fears of retaliation in the government, utility/energy, and business sectors, the US is on the verge of a national election. Given the hacks on the Democratic National Convention’s (“DNC”) servers, social media manipulation, and other attempts to influence the 2016 U.S. Presidential Election, there is no doubt there will be further attempts in 2020, but, the attempts will most likely be from more than just Russia; this time there will be attempts by Iran as well.
The following is a list of steps companies can take to protect themselves given the current state of events:
- Educate your users.
- The more sets of eyes watching for anomalies in your system, the better. Normal users may experience slow network connections, system messages for resources which they have not accessed, and trouble logging into the system – any and all of which may be signs of hacking or attempted hacking. Ensure all users are aware of their role in the organization’s cyber security program and how and whom to contact within the organization to report suspicious activity.
- Update your firewall script.
- Consider blocking IP addresses from Iran, the Middle East, Russia, or other known APTs if you do not have a need to have IP addresses from outside the US logging into your system. While it is common for APT hackers to use IP local or regionalized IP addresses, the hack on the government sites since Soleimani’s death have indicated a number of low-level, less sophisticated hacks originating from the Middle East. Preventing the easy hacks will allow a more concentrated rapid response to higher-level, complicated hacks.
- Ensure your backups are working as planned.
- If the attack on the Sands Casino is any indication, the information will not be locked by ransomware, it will be destroyed and unrecoverable. Make regular backups and test the restoration process.
- Monitor all key sites.
- Companies should maintain an active disaster recovery plan: as part of that plan, key assets and sites should be identified. Those key assets and sites should be regularly monitored for anomalies. The MITRE Corporation maintains a list of hacking techniques and tools used by each APT group; a quick review of the list may suggest additional logging indicators for end-point security.
- Ensure passwords for administrative access are complex, not reused, and not defaults.
- Using Google, one can quickly find repositories of usernames and passwords. These repositories are used to test for vulnerabilities to credential stuffing attacks which is where a hacker will attempt a series of usernames and passwords until they find one that works. Test your passwords against repositories such asaveibeenpwned.com or others to ensure your password is not part of the common lists.
Bleeping Computer, https://www.bleepingcomputer.com/news/security/hacker-group-exposes-iranian-apt-operations-and-members/
New York Times, https://www.nytimes.com/2020/01/06/us/iran-hack-federal-depository-library.html
New York Times, https://www.nytimes.com/2020/01/08/us/politics/iran-attack-cyber.html