US warns that cyberattacks could be part of Iran’s plans as tensions rise. This is what Iran’s current offensive cyber capabilities look like.
Tensions between the United States and Iran are raised after the killing of Iranian IRGC-Quds Force commander Qassem Soleimani via a US drone strike while he was in Iraq. Iranian leaders have vowed to retaliate against the US, with the US Department of Homeland Security warning that previous Iranian plans have included “cyber-enabled” attacks against a range of US targets.
So, if Iran decided to use cyber means to respond, what would that potentially look like?
Iran has long been seen as one of the four countries that pose the greatest online threats to the US, along with China, Russia and North Korea, and there has been a long history of Iranian cyber intrusions against the US.
In March 2018, the US Department of Justice charged nine Iranians over a giant cyber-theft campaign, stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.
In March 2016, the US charged seven Iranians for over a coordinated campaign of DDoS attacks against 46 companies, mostly in the US financial sector, from late 2011 through mid-2013. At the same time one man was also charged with gaining unauthorised access into the control systems of the Bowman Dam in Rye, NY.
The February 2014 hacking of the Sands Las Vegas Corporation in Las Vegas, which saw customer data stolen and — according to reports — some computers wiped, was also blamed on Iran.
It’s also worth noting that US has also used cyberattacks against Iran — most notably the Stuxnet virus, which was designed to damage equipment used in Iran’s nuclear programme, back in 2007. More recently in June last year, the US attacked the computer systems used by Iran to control missile launches, after Iran shot down a US surveillance drone.
Iran’s capabilities have generally been considered to be more limited than those of Russia and China, but may have expanded recently.
In their most recent global threat assessment — from January last year — US intelligence agencies said that Iran was attempting to build cyber capabilities that would enable attacks against critical infrastructure in the US and elsewhere.
“Iran has been preparing for cyberattacks against the United States and our allies”, said the report, which warned that Iran was capable of causing “localized, temporary disruptive effects.” Those effects could include disrupting a large company’s corporate networks for days to weeks, as in the data-wiping attacks Iran has been accused of conducting against targets in Saudi Arabia.
But that reflects that Iran’s capabilities are limited in contrast to Russia and China, which both have the capacity to disrupt critical infrastructure like gas pipelines or power grids. However, it could be that in the last year Iran has developed its capabilities.
Last week’s warning from the US Department of Homeland Security noted: “Iran maintains a robust cyber program and can execute cyberattacks against the United States,” it warned, adding that Iran is capable, at a minimum “of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
A credible offensive actor
The US Cybersecurity and Infrastructure Security Agency (CISA) has also warned that Iran has continuously improved its offensive cyber capabilities, going beyond DDoS and website defacement, and that its hackers have demonstrated a willingness to push further, including “destructive wiper malware and, potentially, cyber-enabled kinetic attacks”.
“Iran is a credible offensive actor in cyberspace having moved in recent years to boost their military capability in this area — in the past, they relied on third-party groups and supportive hackers to carry out attacks,” said Duncan Hodges, senior lecturer in Cyberspace Operations at Cranfield University.
Iran’s cyber capabilities can be broken down into three main areas; espionage, destructive attacks and social media manipulation (security companies track different Iranian groups under the advanced persistent threat (APT) model as APT33, APT34, APT35 and APT39, although there could be as many as 10 different Iranian groups in operation.)
It has consistently targeted government officials, government organisations, and companies to gain intelligence either for industrial espionage or to improve its positioning for future attacks.
For example, in October, Microsoft warned that its security team had seen Iranian hackers attack 241 email accounts, including those associated with a US presidential campaign, current and former US government officials, journalists covering global politics, and prominent Iranians living outside Iran. Four accounts were compromised as a result. Iranian hackers have also been accused of trying to steal data from US military veterans and attempting to steal academic research.
Iran launches multiple espionage campaign every month, said Sherrod DeGrippo senior director of threat research and detection at security company Proofpoint. But mostly these have been involved with reconnaissance by stealing data and login details, rather than doing damage.
Their objective – at least in the past – has been to get a foothold inside the organisation, extract the data and they keep that foothold for later use, DeGrippo said.
“They are relatively sophisticated but I haven’t seen the deep destructive catastrophic events from those groups,” she said. “They’ve have a lot of access, they’ve done a lot of campaigns, but they’ve been quiet. And so, what’s going to happen, now?”
Iran has also used social media campaigns focused on audiences in the US and elsewhere to advance its interests. In October last year, Facebook said it had removed three networks of fake accounts linked to Iran (and one linked to Russia) that had, among other things, pushed content from phoney news organisations.
But it’s the use of malware that can wipe PCs and hard drives by Iran’s hackers that creates the most serious risk of a destructive attack.
The 2012 attack against the Saudi Aramco oil company using the Shamoon malware is probably the most high-profile cyberattack blamed on Iran and saw at least 30,000 PCs wiped.
Since then, according to tech security companies, updated versions of this wiper malware have been used by Iran-backed hackers (or groups masquerading as Iran-backed hackers) to attack targets in Saudi Arabia and the Middle East.
Last month IBM warned of a new form of wiper malware it called ZeroCleare, which aims to overwrite the Master Boot Record and disk partitions on Windows-based machines. IBM said the malware had been used against the industrial and energy sectors and said that Iran-backed hackers were likely responsible.
“Iran’s history of cyberattacks has been more destructive rather than manipulative. They have looked to destroy and degrade infrastructure and hardware,” said Hodges.
All of these different ingredients — digital spying, phishing, social media campaigns and destructive malware — are all potential risks if Iran does decide to use cyber warfare as part of its response.
John Hulquist, director of intelligence analysis at tech security company FireEye, said that a likely first consequence of the current crisis would be an uptick in cyber espionage by Iran.
“They want to know what the US is thinking and how the military is preparing and what our allies are doing. They are going to try to break into the computers belonging to the people who have that information,” he told ZDNet.
While Tehran-backed hacking groups have carried out some attacks against the US previously, like the DDoS attacks against financial institutions, this had declined after the Obama-era nuclear deal, after which Iranian hackers turned their attention to targets in the Gulf region, Hulquist said. But the latest incident could cause them to swing their focus back again.
“They have improved since we last saw them in the US,” Hulquist said. “They are very focused on the destructive wiper capability. We’ve seen a lot of incidents of this wiping capability used primarilly against critical infrastructure companies.”
Wiper malware is a bit like ransomware in that it goes after the data on the hard disk — but, unlike ransomware, there’s little hope of getting the information back again.
“You can still cause of lot of damage with just wipers and they’ve focused on that and they’ve got really good at it. The real question now is whether or not they are going to turn that against the US or our allies as a result of this operation,” he said.
But it may be that even if Iran-backed hackers do plan destructive attacks they will be focusing on US allies in the Gulf region rather that the US itself.
“Although we assess that Iranian actors will continue to target domestic US government, military, and commercial entities for cyberespionage purposes, organizations in the Persian Gulf region are at the greatest risk for destructive cyberattacks,” said cyber security company Recorded Future.
If Iran does decide to step up its cyber campaigns against the US and its allies, the first indication could be a new wave of phishing emails and probing of critical infrastructure companies or other targets.
“That will be our first clue that the status quo has changed,” said Hulquist.
Another thing to watch for, said DeGrippo, is that one of the Iranian groups, known as APT33, has spent years developing sophisticated payloads with Powershell implants exploits, which could allow them to potentially meddle with critical infrastructure like financial systems or industrial control systems.
“Those are the kinds of things we’re looking for, are they going to going to start using these sophisticated Powershell implants capabilities to get into places that have kinetic capabilities or that have physical real world impacts,” she said.
If Iran does choose cyber means to launch its response, it could mean the start of a new and darker chapter of the evolution of cyber warfare, according to Hodges.
“Offensive cyber activity has been used in the past to de-escalate tensions and avoid physical military engagement, such as in the US/Iran conflict in the Gulf of Oman last year. With the present conflict we could, for the first time, see cyberattacks used to escalate conflict.”
CISA has a set of recommended actions for organisations to take in the face of potential threats:
- Disable all unnecessary ports and protocols, review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
- Enhance monitoring of network and email traffic, monitor for new phishing themes.
- Patch externally facing equipment, with a focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service.
- Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organisational network.