Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
RiskIQ agrees with most experts that Iran is likely planning additional cyber-attacks in the coming months to punish the U.S. for the airstrike that killed the Iranian Islamic Revolutionary Guard Corps (IRGC) Commander, Qasem Soleimani.
Below, RiskIQ’s managed intelligence services team, comprised of former intelligence officers, assesses how state-sponsored threats from Iran can affect your business.
So far—in keeping with its modus operandi—Tehran’s response to the attack has been measured and proportional. Four days after the strike, the IRGC launched numerous ballistic missiles at U.S. airbases in Iraq, inflicting minor casualties. According to the Washington Post, on January 8th, the head of Iran’s Aerospace Force, stated they “did not intend to kill… [instead, they] intended to hit the enemy’s military machinery.”
Historically, Iran has also conducted retaliatory attacks calibrated to maintain plausible deniability and avoid escalation. Attribution for cyber attacks is difficult, making it a useful—and frequently used—countermeasure for Tehran.
Iran has a first-world cyber-attack capability
Iran began building out its cyberattack capability over a decade ago after a devastating digital worm called Stuxnet—attributed to both the U.S. and Israel—damaged a uranium processing facility. Iran has since developed a variety of advanced cyber-attack capabilities able to target industrial control systems, national infrastructure, financial institutions, education establishments, oil and gas companies, and more.
For example, In 2013, Iran successfully penetrated the control systems for the dam in Rye, New York, located just 25 miles north of New York City. And, In 2014, in response to public comments made by American casino magnate Sheldon Adelson, Iranian hackers attacked the computer networks of Adelson’s Sands Casino in Las Vegas. The attack damaged or destroyed 75 percent of the casino’s servers, and the cost to recover the data and repair or replace the servers exceeded $40 million, according to a Bloomberg report.
And they have already attempted countless retaliatory cyber attacks.
In addition to the military strike on U.S. air bases, Iran and Iranian sympathizers have already unleashed cyberattacks against U.S. targets.
Cybersecurity experts and government officials are already monitoring an uptick of malicious activity by pro-Iranian hackers and social media users that they believe are indicative of more severe computer attacks from Iran, according to a New York Times report. Read: more attacks are to come.
You may have already been targeted
Iranian hackers have numerous cyber attack techniques in their arsenal, but their core competencies include running long, drawn-out social engineering and phishing attacks. Through social engineering, attackers use phone calls and other media to trick people into handing over access to the organization’s sensitive information. In one recent case, Iranian hackers were caught after Microsoft found websites that had been used in a years-long phishing campaign that targeted corporations, government agencies, activists, and journalists. In the attacks, hackers sent out emails and social media posts to infiltrate computer systems by tricking victims into visiting phony websites with malicious software.
In another case, detailed in a 2017 WIRED report, Iranian hackers created a fake online persona named Mia Ash. See the graphic below detailing the stages of this spearphishing campaign.
What you can do to protect your cyber networks now
Protecting cyber networks is as much about safeguarding your personal social network as it is about a computer network. Social engineering is harder to trace, spot, and track, making it all the more important to implement protocols to safeguard your network now from these types of attacks. A first step would be to warn your employees to be wary of unexpected or suspicious emails, phone calls, text messages, or other digital contacts that may serve as an entry point for attacks; these methods are typical of those employed by Iran. Employees should also be encouraged to report any suspicious contacts to security for further investigation.
But for advanced and persistent threats, education and awareness may not be enough—and that’s where RiskIQ can help. We provide solutions for combating precisely the type of threats Iranian hackers have used and continue to use. For example, to mitigate phishing threats, like the Microsoft case, RiskIQ ingests suspected phishing URLs from a broad range of sources. Our algorithms intelligently sort phishing pages from legitimate sites, automatically validating the vast majority of phish and leaving a small fraction, if any, left for human review. Similar methods can be used for combating personalized spearphishing attacks, like the “Mia” case above.
How else can RiskIQ help?
RiskIQ Executive Guardian and External Threats – Iran has previously built fake news organizations to target executives and individuals. RiskIQ uses our internet-scale visibility to offer executive protection and social media monitoring.
RiskIQ Digital Footprint – Iran is likely scanning the internet for VPNs and other remote access software to get a foothold in U.S. organizations, so it’s crucial to understand the services and open ports within your attack surface.
Iran is known to perform mass compromises of web applications to build up enormous botnets. Understanding your organization’s attack surface to find outdated technologies and other assets at risk of takeover can prevent you from becoming a victim.
RiskIQ PassiveTotal – Iran may come directly from their IP space or through a proxy, and may also use typosquat or other domains to launch targeted phishing attacks. Being able to identify and link Iranian infrastructure is key to blocking attacks. In RiskIQ PassiveTotal, you can quickly pivot across unique data sets built from an unmatched breadth of internet data to uncover and address the infrastructure attacking you.
Click here to see RiskIQ’s suite of products that can help you mitigate these and other cyber threats.
Tomorrow: RiskIQ's @joshuamayfield sits down with @forrester's @josh_zelonis to discuss what goes into a next-gen vulnerability management program, and why discovering unknowns is where it all starts: https://t.co/kCxgPVJ1sD
What are the keys to a Modern Vulnerability Risk Management Program? On Tuesday, @joshuamayfield and @josh_zelonis will examine why defending your organization's digital attack surface starts with being able to discover unknowns and investigate threats: https://t.co/kCxgPW0Ckb
IGNITE is just 10 days away! RSVP now to kick off #RSAC and party with Flashpoint, @elastic, @ThreatQuotient, @Siemplify, and @RiskIQ: https://t.co/hnlh0UhHEo
The largest UK #GDPR fine was £183m in 2018 as B.A. booking website was hit by Magecart ccard skimming code. @RiskIQ worked with https://t.co/E3JRdvCMWA and Shadowserver to take down the malicious domains. https://t.co/iiH69vbKFK