RiskIQ agrees with most experts that Iran is likely planning additional cyber-attacks in the coming months to punish the U.S. for the airstrike that killed the Iranian Islamic Revolutionary Guard Corps (IRGC) Commander, Qasem Soleimani.
Below, RiskIQ's managed intelligence services team, comprised of former intelligence officers, assesses how state-sponsored threats from Iran can affect your business.
So far—in keeping with its modus operandi—Tehran's response to the attack has been measured and proportional. Four days after the strike, the IRGC launched numerous ballistic missiles at U.S. airbases in Iraq, inflicting minor casualties. According to the Washington Post, on January 8th, the head of Iran's Aerospace Force, stated they "did not intend to kill... [instead, they] intended to hit the enemy's military machinery."
Historically, Iran has also conducted retaliatory attacks calibrated to maintain plausible deniability and avoid escalation. Attribution for cyber attacks is difficult, making it a useful—and frequently used—countermeasure for Tehran.
Iran has a first-world cyber-attack capability
Iran began building out its cyberattack capability over a decade ago after a devastating digital worm called Stuxnet—attributed to both the U.S. and Israel—damaged a uranium processing facility. Iran has since developed a variety of advanced cyber-attack capabilities able to target industrial control systems, national infrastructure, financial institutions, education establishments, oil and gas companies, and more.
For example, In 2013, Iran successfully penetrated the control systems for the dam in Rye, New York, located just 25 miles north of New York City. And, In 2014, in response to public comments made by American casino magnate Sheldon Adelson, Iranian hackers attacked the computer networks of Adelson's Sands Casino in Las Vegas. The attack damaged or destroyed 75 percent of the casino's servers, and the cost to recover the data and repair or replace the servers exceeded $40 million, according to a Bloomberg report.
And they have already attempted countless retaliatory cyber attacks.
In addition to the military strike on U.S. air bases, Iran and Iranian sympathizers have already unleashed cyberattacks against U.S. targets.
- Four days after the U.S. strike, Texas Governor Greg Abbott warned that Texas agencies were seeing 10,000 attempted cyberattacks per minute from Iran.
- In the week after Soleimani's death, pro-Iranian hackers launched a series of digital strikes, including defacing city websites and the homepage of the Federal Depository Library Program and spreading misinformation through hacked Twitter accounts.
- That same week, cyber offensives "specifically traced" to Iran's state-sponsored hacking groups struck around 35 different organizations, according to a Forbes report.
Cybersecurity experts and government officials are already monitoring an uptick of malicious activity by pro-Iranian hackers and social media users that they believe are indicative of more severe computer attacks from Iran, according to a New York Times report. Read: more attacks are to come.
You may have already been targeted
Iranian hackers have numerous cyber attack techniques in their arsenal, but their core competencies include running long, drawn-out social engineering and phishing attacks. Through social engineering, attackers use phone calls and other media to trick people into handing over access to the organization's sensitive information. In one recent case, Iranian hackers were caught after Microsoft found websites that had been used in a years-long phishing campaign that targeted corporations, government agencies, activists, and journalists. In the attacks, hackers sent out emails and social media posts to infiltrate computer systems by tricking victims into visiting phony websites with malicious software.
In another case, detailed in a 2017 WIRED report, Iranian hackers created a fake online persona named Mia Ash. See the graphic below detailing the stages of this spearphishing campaign.
What you can do to protect your cyber networks now
Protecting cyber networks is as much about safeguarding your personal social network as it is about a computer network. Social engineering is harder to trace, spot, and track, making it all the more important to implement protocols to safeguard your network now from these types of attacks. A first step would be to warn your employees to be wary of unexpected or suspicious emails, phone calls, text messages, or other digital contacts that may serve as an entry point for attacks; these methods are typical of those employed by Iran. Employees should also be encouraged to report any suspicious contacts to security for further investigation.
Add RiskIQ to your team
But for advanced and persistent threats, education and awareness may not be enough—and that's where RiskIQ can help. We provide solutions for combating precisely the type of threats Iranian hackers have used and continue to use. For example, to mitigate phishing threats, like the Microsoft case, RiskIQ ingests suspected phishing URLs from a broad range of sources. Our algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review. Similar methods can be used for combating personalized spearphishing attacks, like the "Mia" case above.
How else can RiskIQ help?
RiskIQ Executive Guardian and External Threats - Iran has previously built fake news organizations to target executives and individuals. RiskIQ uses our internet-scale visibility to offer executive protection and social media monitoring.
RiskIQ Digital Footprint - Iran is likely scanning the internet for VPNs and other remote access software to get a foothold in U.S. organizations, so it's crucial to understand the services and open ports within your attack surface.
Iran is known to perform mass compromises of web applications to build up enormous botnets. Understanding your organization's attack surface to find outdated technologies and other assets at risk of takeover can prevent you from becoming a victim.
RiskIQ PassiveTotal - Iran may come directly from their IP space or through a proxy, and may also use typosquat or other domains to launch targeted phishing attacks. Being able to identify and link Iranian infrastructure is key to blocking attacks. In RiskIQ PassiveTotal, you can quickly pivot across unique data sets built from an unmatched breadth of internet data to uncover and address the infrastructure attacking you.
Click here to see RiskIQ's suite of products that can help you mitigate these and other cyber threats.