Will the next major cyber-attack come from Iran?

The threat of military conflict escalating between the US and Iran appears to be fading. However, many experts believe hostilities are just beginning, and that cyberspace will be the new battlefield.

US-Iran relations have grown worse in recent years, but the death of Iran’s top general, Qasem Soleimani, by a targeted US drone strike on January 3rd brought tensions to an all-time high under the Trump administration. The attack led to retaliatory missile strikes over the following days, with several services personnel injured when two military bases in Iraq that were hosting American and coalition troops were hit.

Afterwards, Iranian Foreign Minister Javad Zarif announced in a January 8th tweet that the response “concluded proportionate measures in self-defense”. President Trump also indicated that the US would be standing down from further military action. Physical warfare appears to be over, for now, but security analysts have warned that Iran may still launch sophisticated cyber-attacks against key US organizations. Banks, utilities, transport networks, internet infrastructure and government databases are all potential targets.

Indeed, a series of ‘nuisance’ attacks has already begun, resulting in US regional websites being defaced with images honoring General Soleimani, according to the New York Times. Furthermore, a group of hackers claiming to be associated with Iran replaced the Federal Depository Library Program’s home page with a falsified image of President Trump being punched.

But will these mischievous attacks snowball into something more damaging? What would this mean for US organizations? And what preventative measures can businesses take?

Iran’s growing cyber capabilities

The US Government clearly isn’t taking the Iran cyber threat lightly.

“Iran has the capability and the tendency to launch destructive attacks,” said Christopher Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA), which is the Department of Homeland Security’s computer security arm.

Talking to the New York Times, he added: “This is a capable actor that has demonstrated prior capability in the region. They’re known to be pretty aggressive.”

The US has recently been cracking down on cyber-attacks against its systems. For example, Symantec figures show 49 individuals or organizations were indicted for state-sponsored cyber espionage in 2018. This was up from just four in 2016 and five in 2017. While the majority of those indicted were Chinese (19) and Russian (18) nationals, there were 11 Iranians.

Even before the recent escalation in aggression between the US and Iran, CISA had issued a warning about a notable rise in malicious cyber activity directed at US industries and government agencies.

In June, Mr Krebs stated: “Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money.

“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”

Iran has been steadily building its cyber capabilities following a devastating malicious computer worm, named Stuxnet, that wreaked havoc on the country’s nuclear program. The worm was first uncovered in 2010 and put Iran’s uranium enrichment initiative back several years and caused physical damage to the infected computers.

However, it also encouraged Iran to invest heavily in bolstering its cyber defenses and attacks. Since then, the country has been much more active on the cyber scene.

A brief history of Iran cyber-attacks

The Stuxnet worm was rumored to be a US-Israeli collaboration, although both countries denied involvement. In 2012 and 2013, a Middle Eastern collective known as the Izz ad-Din al-Qassam Cyber Fighters claimed to be responsible for a series of Distributed Denial of Service (DDoS) attacks against major US financial organizations. Targets included the New York Stock Exchange and JP Morgan Chase.

Operation Ababil, as it was known, is thought to be an Iran-sanctioned response to Stuxnet. The country has also been linked to the 2012 Shamoon attack on oil giant Saudi Aramco – which occurred after the US tightened oil sanctions against Iran – and a strike against the Las Vegas Sands Corporation two years later. The Sands incident was almost certainly a response to the company’s owner, Republican political donor Sheldon Adelson, endorsing the prospect of pre-emptive nuclear attacks on Iran.

But how likely is a large-scale attack on US organizations following the death of General Soleimani? Some argue that Iran faces a similar problem with cyber-attacks as it does with military strikes: the US has far greater capabilities at its disposal. If suitably provoked, the US could use its offensive cyber weapons to bring much of Iran’s infrastructure to a grinding halt. Nevertheless, Trustwave SpiderLabs’ Brian Hussey told Forbes that businesses should be prepared for the worst.

“The threat of a nation-state cyber-attack on high profile corporations, government arms and SCADA systems is very real,” he explained. “It is possible that Iran already has SCADA attack capabilities in place, hidden deep within US SCADA environments, waiting for the right time to attack.”

How can organizations protect themselves?

Iran’s alleged involvement in hacking the Las Vegas Sands Corporation suggests the country will launch cyber-attacks against private organizations if suitably incensed politically.

The news will no doubt worry businesses that are aware of the damages caused to Yahoo!, the Marriott hotel chain and Equifax when their systems were hacked, exposing the personal information of billions of consumers.

For now, CISA is offering some crucial recommendations:

  • Disable all unnecessary ports and protocols;
  • Enhance monitoring of network and email activity;
  • Patch external-facing equipment;
  • Log and limit the use of PowerShell; and
  • Ensure back-ups are up to date. 

A key difference between a typical cyber-attack and one that Iran may launch is that conventional hackers are often looking to extort money or steal data. Iran is more likely to focus on causing chaos, with industrial control systems a particular risk.

Joe Krull, Senior Analyst at Aite Group, said US banks could be a major target.

“What greater revenge from a symbolic point of view but to go after American money?” he explained.

“They can claim victory, but it doesn’t necessarily warrant a military response, so they can do it and get away with it, as opposed to blowing up an American embassy.”

He advised organizations to warn employees about the risks of phishing emails, as well as update their response and recovery protocols.

Improving your cyber defenses in 2020

A nation-state attack is likely to be highly sophisticated, meaning conventional security measures are often inadequate.

To be fully prepared for a cyber incident, organizations may need to upgrade their technology and systems, overhaul their processes, and consider ramping up cyber security risk recruitment in New York and other key target locations.

“In times like these, it’s important to make sure you’ve shored up your basic defenses … and if you suspect an incident – take it seriously and act quickly,” says Mr Krebs.

Here at Barclay Simpson, we couldn’t agree more.

If you would like to discuss your cyber security recruitment needs in New York and beyond, please get in touch on +1 646 578 8940 or contact me via email at nfm@barclaysimpson.com.

Image credit: Chickenonline via Pixabay