Iran's Cyberwar Response To Its General's Killing

Following the US assassination of General Qassem Soleimani (pictured) on Friday January 2nd by a deadly drone strike, it looks like the United States and Iran are at war. Over the following weekend, the cyber war began with threat actors defaced the website of the US Federal Depository Library Program (FDLP).  

This could be only  the first Iranian state-sponsored cyberattack in retaliation for the US drone strike that killed the  Iranian military commander at Baghdad airport in Iraq. The FDLP website was taken down after the defacement, which according to the DHS involved “pro-Iranian, anti-US messaging.” 

The US Department of Home Security (DHS) on Saturday 3rd issued a rare National Terrorism Advisory System (NTAS) alert warning about possible Iranian terror and cyber campaigns in retaliation for the US drone strike that killed Soleimani. He was the commander of the Quds Force, the extraterritorial operations branch of Iran’s Islamic Revolutionary Guard Corps (IRGC).

The Iranian government and various allied organisations have warned that they plan to retaliate against the US over Soleimani’s death. 

The DHS warns that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States,” adding that such an attack “may come with little or no warning.”

The killing of another country’s most important military official is tantamount to a formal declaration of hostilities. While the US and Iran had been exchanging blows indirectly and through proxies in Iraq and Yemen, the Trump administration has brought this long-running shadow conflict with Iran out into the open.

For years, US tensions with Iran have held to a kind of brinksmanship. But the drone assassination of Soleimani, widely understood to be the second most powerful figure in Iran, has dangerously escalated tensions. The world now awaits Iran's response, which seems likely to make new use of a tool that the country has already been deploying for years: its brigades of military hackers. When the Iranian response comes, and it will come, though it may not be immediate, there will be intense pressure on the Trump administration to respond in kind. The scenarios experts are floating are dire, including both direct attacks on the US and strikes on its allies.

In the wake of strike, military and cybersecurity analysts caution Iran's response could include, among other possibilities, a wave of disruptive cyberattacks. 

The country has spent years building the capability to execute not only the mass-destruction of computers but potentially more advanced, albeit far less likely, attacks on Western critical infrastructure like power grids and water systems.Iran has ramped up its cyberwar capabilities ever since a joint US-Israeli intelligence operation deployed malware called Stuxnet in the Natanz uranium enrichment facility in 2007, destroying centrifuges and crippling the country's nuclear efforts. 

Iran has since put serious resources into advancing its own hacking, though it deploys them more for espionage and mass disruption than Stuxnet-like surgical strikes.

Expect more network-enabled spying and possibly destructive cyber-attacks in the wake of the killing of one of Iran’s most important military commanders, experts said. “We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. 
“We also anticipate disruptive and destructive cyberattacks against the private sphere,” said John Hultquist, director of Intelligence Analysis at FireEye, in a recent statement.

Like a lot of smaller state actors, Iran has been growing its cyber capacity over the last several years. Clumsy distributed-denial-of-service attacks and website defacements in 2009 led four years later to the manipulation of search query commands in an attack on the Navy Marine Corps Intranet. In 2013, an Iranian national allegedly breached the control systems of a dam in Rye, New York. Two years after that, Iran actors used Wiper malware to delete files from some 35,000 computers owned by Saudi Aramco, one of the most disruptive attacks to date.  

Iranian cyber actions spiked ahead of the 2015 signing of the multinational deal that limited Iran’s nuclear activities. Targets included US financial organisations and even the a casino in Las Vegas who’s networks were wiped clean, doing $40m in damage.

Iranian cyber activity dropped off somewhat after the signing of the nuclear deal. But in 2017, a threat group that FireEye dubbed APT33 attacked aerospace and petrochemical targets across the United States, Saudi Arabia, and South Korea. 
The group created domain names to send convincing emails pretending to be from Boeing, Northrop Grumman, and various joint ventures. 

The methods, targeted spear-phishing and domain-name squatting, suggest that the intent was industrial espionage, not destruction. And in December 2018, a series of dramatic wiper attacks targeted Italian, Saudi and UAE oil interests in the Middle East, attacks that experts to Iran.

What’s Next
The past year brought various warnings of a new spike in malign network activity. A January 2019 Report  indicated that Iran had been attacking domain name service providers, aiming to set up fake domain names that could facilitate a new wave of spearphishing operations. 

The following month, Crowdstrike’s 2019 Global Threat Report noted that despite “some short-term gaps in attributable incidents this year, Iran based malicious cyber activity appeared to be fairly constant in 2018, particularly involving incidents targeting other countries in the [Middle East and North Africa] region… “Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.”

In June, Christopher Krebs, the director of the US Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security, said “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies..... We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.”

DefenseOne:      Wired:        Vox:      Oodaloop:       ZDNet:     Image: akkasemosalman.ir

You Might Also Read: 

Reshaping The Future Of War With Malware:

New US Cyber Attacks On Iran:

 

« Top 20 Cyber Security Companies At The Start Of 2020
Warning: Smart TVs Are The IoT Gateway Into Your Home »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Exploit Database (EDB)

Exploit Database (EDB)

The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers.

VivoSecurity

VivoSecurity

VivoSecurity is a pioneer in cyber risk quantification based on data science. Our products and services help organizations achieve optimal information security and GRC programs.

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center (MCC)

Maritime Cybersecurity Center is a not-for-profit organization focused on regional cybersecurity excellence and readiness, with a special emphasis on the maritime community.

Arsenal Recon

Arsenal Recon

Arsenal Recon are digital forensics experts, providing consultancy services and powerful software tools to improve the analysis of electronic evidence.

Belkasoft

Belkasoft

Belkasoft is a software vendor providing public agencies, corporate security teams, and private investigators with digital forensic solutions.

Civic Technologies

Civic Technologies

Civic’s Secure Identity Platform (SIP) uses a verified identity for multi-factor authentication on web and mobile apps without the need for usernames or passwords.

DataEndure

DataEndure

DataEndure helps companies build digital resilience so that their critical information assets are protected and available to the right people, at the right time.

BlackScore

BlackScore

BlackScore is a technology company seeking to disrupt risk assessment using AI-driven technology.

Valency Networks

Valency Networks

Valency Networks provide cutting edge results in the areas of Vulnerability Assessment and Penetration Testing services for webapps, cloud apps, mobile apps and IT networks.

BlueAlly

BlueAlly

BlueAlly helps clients scale, optimize, and manage their IT resources to reach their business goals.

Brightsolid

Brightsolid

Brightsolid are experts in Hybrid Cloud. We design, build and manage secure, scalable cloud environments that meet customers’ business ambitions.

Verichains

Verichains

Verichains Lab is a pioneer and leading APAC blockchain security firm with extensive expertise in the areas of security, cryptography and core blockchain technology.

Assured Clarity

Assured Clarity

Assured Clarity are a global consultancy, specialising in Risk Management and Data Privacy, through Education, Awareness and Training, throughout an organisation.

Anatomy IT

Anatomy IT

Anatomy IT empowers healthcare providers to deliver exceptional patient care with cutting-edge technology and cybersecurity solutions.

Revytech

Revytech

Revytech is a tech company providing services in a broad range of areas including IT operations, cyber security and network engineering.

Liquid C2

Liquid C2

Liquid C2 offers leading solutions to streamline workplace operations, secure cloud storage, rapid data recovery, and scale growth.