Iran's Cyberwar Response To Its General's Killing
Following the US assassination of General Qassem Soleimani (pictured) on Friday January 2nd by a deadly drone strike, it looks like the United States and Iran are at war. Over the following weekend, the cyber war began with threat actors defaced the website of the US Federal Depository Library Program (FDLP).
This could be only the first Iranian state-sponsored cyberattack in retaliation for the US drone strike that killed the Iranian military commander at Baghdad airport in Iraq. The FDLP website was taken down after the defacement, which according to the DHS involved “pro-Iranian, anti-US messaging.”
The US Department of Home Security (DHS) on Saturday 3rd issued a rare National Terrorism Advisory System (NTAS) alert warning about possible Iranian terror and cyber campaigns in retaliation for the US drone strike that killed Soleimani. He was the commander of the Quds Force, the extraterritorial operations branch of Iran’s Islamic Revolutionary Guard Corps (IRGC).
The Iranian government and various allied organisations have warned that they plan to retaliate against the US over Soleimani’s death.
The DHS warns that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States,” adding that such an attack “may come with little or no warning.”
The killing of another country’s most important military official is tantamount to a formal declaration of hostilities. While the US and Iran had been exchanging blows indirectly and through proxies in Iraq and Yemen, the Trump administration has brought this long-running shadow conflict with Iran out into the open.
For years, US tensions with Iran have held to a kind of brinksmanship. But the drone assassination of Soleimani, widely understood to be the second most powerful figure in Iran, has dangerously escalated tensions. The world now awaits Iran's response, which seems likely to make new use of a tool that the country has already been deploying for years: its brigades of military hackers. When the Iranian response comes, and it will come, though it may not be immediate, there will be intense pressure on the Trump administration to respond in kind. The scenarios experts are floating are dire, including both direct attacks on the US and strikes on its allies.
In the wake of strike, military and cybersecurity analysts caution Iran's response could include, among other possibilities, a wave of disruptive cyberattacks.
The country has spent years building the capability to execute not only the mass-destruction of computers but potentially more advanced, albeit far less likely, attacks on Western critical infrastructure like power grids and water systems.Iran has ramped up its cyberwar capabilities ever since a joint US-Israeli intelligence operation deployed malware called Stuxnet in the Natanz uranium enrichment facility in 2007, destroying centrifuges and crippling the country's nuclear efforts.
Iran has since put serious resources into advancing its own hacking, though it deploys them more for espionage and mass disruption than Stuxnet-like surgical strikes.
Expect more network-enabled spying and possibly destructive cyber-attacks in the wake of the killing of one of Iran’s most important military commanders, experts said. “We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment.
“We also anticipate disruptive and destructive cyberattacks against the private sphere,” said John Hultquist, director of Intelligence Analysis at FireEye, in a recent statement.
Like a lot of smaller state actors, Iran has been growing its cyber capacity over the last several years. Clumsy distributed-denial-of-service attacks and website defacements in 2009 led four years later to the manipulation of search query commands in an attack on the Navy Marine Corps Intranet. In 2013, an Iranian national allegedly breached the control systems of a dam in Rye, New York. Two years after that, Iran actors used Wiper malware to delete files from some 35,000 computers owned by Saudi Aramco, one of the most disruptive attacks to date.
Iranian cyber actions spiked ahead of the 2015 signing of the multinational deal that limited Iran’s nuclear activities. Targets included US financial organisations and even the a casino in Las Vegas who’s networks were wiped clean, doing $40m in damage.
Iranian cyber activity dropped off somewhat after the signing of the nuclear deal. But in 2017, a threat group that FireEye dubbed APT33 attacked aerospace and petrochemical targets across the United States, Saudi Arabia, and South Korea.
The group created domain names to send convincing emails pretending to be from Boeing, Northrop Grumman, and various joint ventures.
The methods, targeted spear-phishing and domain-name squatting, suggest that the intent was industrial espionage, not destruction. And in December 2018, a series of dramatic wiper attacks targeted Italian, Saudi and UAE oil interests in the Middle East, attacks that experts to Iran.
What’s Next
The past year brought various warnings of a new spike in malign network activity. A January 2019 Report indicated that Iran had been attacking domain name service providers, aiming to set up fake domain names that could facilitate a new wave of spearphishing operations.
The following month, Crowdstrike’s 2019 Global Threat Report noted that despite “some short-term gaps in attributable incidents this year, Iran based malicious cyber activity appeared to be fairly constant in 2018, particularly involving incidents targeting other countries in the [Middle East and North Africa] region… “Additionally, it is suspected that Iranian adversaries are developing new mobile malware capabilities to target dissidents and minority ethnic groups.”
In June, Christopher Krebs, the director of the US Cybersecurity and Infrastructure Security Agency, or CISA, at the Department of Homeland Security, said “CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies..... We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.”
DefenseOne: Wired: Vox: Oodaloop: ZDNet: Image: akkasemosalman.ir
You Might Also Read:
Reshaping The Future Of War With Malware: