Iran's Cyberwar Response To Its General's Killing

Following the US assassination of General Qassem Soleimani (pictured) on Friday January 2nd by a deadly drone strike, it looks like the United States and Iran are at war. Over the following weekend, the cyber war began with threat actors defaced the website of the US Federal Depository Library Program (FDLP).  

This could be only  the first Iranian state-sponsored cyberattack in retaliation for the US drone strike that killed the  Iranian military commander at Baghdad airport in Iraq. The FDLP website was taken down after the defacement, which according to the DHS involved “pro-Iranian, anti-US messaging.” 

The US Department of Home Security (DHS) on Saturday 3rd issued a rare National Terrorism Advisory System (NTAS) alert warning about possible Iranian terror and cyber campaigns in retaliation for the US drone strike that killed Soleimani. He was the commander of the Quds Force, the extraterritorial operations branch of Iran’s Islamic Revolutionary Guard Corps (IRGC).

The Iranian government and various allied organisations have warned that they plan to retaliate against the US over Soleimani’s death. 

The DHS warns that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States,” adding that such an attack “may come with little or no warning.”

The killing of another country’s most important military official is tantamount to a formal declaration of hostilities. While the US and Iran had been exchanging blows indirectly and through proxies in Iraq and Yemen, the Trump administration has brought this long-running shadow conflict with Iran out into the open.

For years, US tensions with Iran have held to a kind of brinksmanship. But the drone assassination of Soleimani, widely understood to be the second most powerful figure in Iran, has dangerously escalated tensions. The world now awaits Iran's response, which seems likely to make new use of a tool that the country has already been deploying for years: its brigades of military hackers. When the Iranian response comes, and it will come, though it may not be immediate, there will be intense pressure on the Trump administration to respond in kind. The scenarios experts are floating are dire, including both direct attacks on the US and strikes on its allies.

In the wake of strike, military and cybersecurity analysts caution Iran's response could include, among other possibilities, a wave of disruptive cyberattacks. 

The country has spent years building the capability to execute not only the mass-destruction of computers but potentially more advanced, albeit far less likely, attacks on Western critical infrastructure like power grids and water systems.Iran has ramped up its cyberwar capabilities ever since a joint US-Israeli intelligence operation deployed malware called Stuxnet in the Natanz uranium enrichment facility in 2007, destroying centrifuges and crippling the country's nuclear efforts. 

Iran has since put serious resources into advancing its own hacking, though it deploys them more for espionage and mass disruption than Stuxnet-like surgical strikes.

Expect more network-enabled spying and possibly destructive cyber-attacks in the wake of the killing of one of Iran’s most important military commanders, experts said. “We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. 
“We also anticipate disruptive and destructive cyberattacks against the private sphere,” said John Hultquist, director of Intelligence Analysis at FireEye, in a recent statement.

Like a lot of smaller state actors, Iran has been growing its cyber capacity over the last several years. Clumsy distributed-denial-of-service attacks and website defacements in 2009 led four years later to the manipulation of search query commands in an attack on the Navy Marine Corps Intranet. In 2013, an Iranian national allegedly breached the control systems of a dam in Rye, New York. Two years after that, Iran actors used Wiper malware to delete files from some 35,000 computers owned by Saudi Aramco, one of the most disruptive attacks to date.  

Iranian cyber actions spiked ahead of the 2015 signing of the multinational deal that limited Iran’s nuclear activities. Targets included US financial organisations and even the a casino in Las Vegas who’s networks were wiped clean, doing $40m in damage.

Iranian cyber activity dropped off somewhat after the signing of the nuclear deal. But in 2017, a threat group that FireEye dubbed APT33 attacked aerospace and petrochemical targets across the United States, Saudi Arabia, and South Korea. 
The group created domain names to send convincing emails pretending to be from Boeing, Northrop Grumman, and various joint ventures. 

The methods, targeted spear-phishing and domain-name squatting, suggest that the intent was industrial espionage, not destruction. And in December 2018, a series of dramatic wiper attacks targeted Italian, Saudi and UAE oil interests in the Middle East, attacks that experts to Iran.

What’s Next
The past year brought various warnings of a new spike in malign network activity. A January 2019 Report  indicated that Iran had been attacking domain name service providers, aiming to set up fake domain names that could facilitate a new wave of spearphishing operations. 

The following month, Crowdstrike’s 2019 Global Threat Report noted that despite “some short-term gaps in attributable incidents this year, Iran based malicious cyber activity appeared to be fairly constant in 2018, particularly involving incidents targeting other countries in the [Middle East and North Africa] region… “Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.”

In June, Christopher Krebs, the director of the US Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security, said “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies..... We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.”

DefenseOne:      Wired:        Vox:      Oodaloop:       ZDNet:     Image: akkasemosalman.ir

You Might Also Read: 

Reshaping The Future Of War With Malware:

New US Cyber Attacks On Iran:

 

« Top 20 Cyber Security Companies At The Start Of 2020
Warning: Smart TVs Are The IoT Gateway Into Your Home »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Datto

Datto

Datto delivers a single toolbox of easy to use products and services designed specifically for managed service providers and the businesses they serve.

Altius IT

Altius IT

Altius IT reviews your website for security vulnerabilities and provides a report identifying vulnerabilities and recommendations to make secure.

Agari

Agari

Agari is the Trusted Email Identity Company™, protecting brands and people from devastating phishing and socially-engineered attacks.

Centre for Cyber Security (CFCS) - Denmark

Centre for Cyber Security (CFCS) - Denmark

The Centre for Cyber Security is the Danish national IT security authority, Network Security Service and Centre for Excellence within cyber security.

California Cybersecurity Institute (CCI) - Cal poly

California Cybersecurity Institute (CCI) - Cal poly

The CCI provides a hands-on research and learning environment to explore new cyber technologies and train and test tactics alongside law enforcement and cyberforensics experts.

Dermalog Identification Systems

Dermalog Identification Systems

Dermalog Identification Systems is a pioneer in biometry and the largest German manufacturer of biometric devices and systems.

Gigacycle

Gigacycle

Gigacycle is one of the leading IT disposal and recycling providers in the UK. We specialise in IT asset disposal (ITAD) and data destruction.

SlowMist

SlowMist

SlowMist is a blockchain ecosystem security company providing cybersecurity audits and protection for leading digital asset exchanges, crypto wallets, public chains, and smart contracts.

C11 Cyber Security & Digital Innovation Centre

C11 Cyber Security & Digital Innovation Centre

C11 is working with local and national partners to develop talent and bring brilliant minds and brilliant businesses together.

Jump Capital

Jump Capital

Jump provides series A and B capital to data-driven tech companies within the FinTech, IT & Data Infrastructure, B2B SaaS and Media sectors.

PAX Momentum

PAX Momentum

PAX Momentum is the Mid-Atlantic’s premier startup accelerator, specializing in cyber, enterprise software, telecom, CleanTech, FinTech, InsureTech, and AI.

UMBRA

UMBRA

UMBRA is solely concerned with protecting governments against Nation State attacks. We are not a consumer or enterprise company.

Northcross Group (NCG)

Northcross Group (NCG)

NCG provides services to help organizations meet the challenges of regulatory compliance. Our services include support, consultation, tools and accelerators for all parts of an organization.

Hexaware Technologies

Hexaware Technologies

Hexaware is an automation-led next-generation service provider delivering excellence in IT, BPO and Consulting services.

Atomic Data

Atomic Data

Atomic Data is an on-demand, always-on, pay-as-you-go expert extension of your enterprise IT team and infrastructure.

Reco AI

Reco AI

Reco is an identity-centric SaaS security solution that empowers organizations with full visibility into every app, identity, and their actions to control risk in their SaaS ecosystem.