04/10/2020

Iran’s formidable cyber arsenal includes malware and DoS attacks.

Irans promise to avenge the US militarys recent killing of Irans top military commander, Qassem Soleimani, has stoked fears about what this retaliation will look like. Many worry that it will lead to all-out war, but although the US is adding 3,500 troops to the tens of thousands already stationed in the Middle East, there havent been any large-scale military fights on the ground.
On our computers, however, it might be a different story. One of Irans most likely responses to the USs actions may be a cyberattack on private businesses or even government systems which is why many experts in the US are bracing for an assault from a country that has established itself as one of the worlds major cyber threats in the last decade.
If Iran does launch a digital strike, this wouldnt be anything new. In fact, it would be just another battle in an ongoing invisible war between the US and Iran that has been happening for years.
Irans cyberattacks are already so extremely active and persistent that cybersecurity expert Brian Krebs told Recode, Its difficult to think of what might constitute an escalation of that activity.
The Department of Homeland Security also recognizes the potential cyberthreat. Two days after Soleimanis death, DHSs National Terrorism Advisory System issued a bulletin that mentioned Irans past cyber enabled attacks from its robust cyber program.
Iran is capable, at minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States, the bulletin said.
Michael Daniel, president and CEO of Cyber Threat Alliance and the cybersecurity coordinator on the National Security Council during the Obama administration, told Recode that while its too early to say what Irans cyberattack plans could be, the United States should be prepared for the possibility.
Theyve used [cyber attacks] before, and they have continued developing their cyber capabilities over the last few years, Daniel said. Based on past experience with Iran, it would be a logical course of action for them to take.
How Iran became a cyber threat
If Irans past actions are any indication, a new cyberattack against the US could employ malware (programs that are designed to damage computer systems, such as computer viruses) or denial of service (DoS) attacks (when hackers bombard web services with so many requests that they are unable to function).
Ironically, it was a cyberattack linked to the US almost 10 years ago that led to Iran ramping up its cyberwarfare abilities. In June 2010, a computer virus called Stuxnet, which has been called unprecedentedly masterful and malicious, was discovered to have targeted computers that ran Irans nuclear program, reportedly destroying a fifth of its centrifuges.
While Stuxnet is largely believed to have been a joint US-Israel effort (with, it was recently reported, some help from the Dutch), neither government has officially acknowledged this. Iran responded by bulking up its cyberespionage capabilities, refining and improving its skills over the last decade, and attacking both America and its allies.
In America, Irans cyberattacks have largely targeted the private sector. In 2014, it hacked into Sands Hotel and Casinos systems, stealing and destroying data and ultimately costing the casino at least $40 million. And between 2011 and 2013, seven Iranians allegedly working on the Iranian governments behalf were accused of launching DoS attacks on 46 businesses, most of them financial institutions, according to a 2016 US Department of Justice indictment.
Irans most notorious cyberattack was against Saudi Arabias state-owned oil company, Saudi Aramco. In 2012, a virus called Shamoon destroyed more than 30,000 of Saudi Aramcos computers. (Shamoon was a type of wiper, a particularly harmful malware that irreversibly wipes data from the devices and networks it infects.)
Saudi Aramco was forced to go offline for months until it could rebuild its IT infrastructure, ultimately costing one of the most valuable companies in the world hundreds of millions of dollars. Modified versions of Shamoon surfaced in 2016 and 2018, which suggests Iran might use this tool to retaliate against the US if it does launch a cyberattack, experts told Recode.
I would expect destructive attacks like the Shamoon attack against Saudi Aramco, Chris Wysopal, co-founder and chief technology officer of cybersecurity software company Veracode, told Recode. He added that local governments and hospitals are potential soft targets for such attacks.
Both often dont have the funds or personnel to protect from sophisticated hackers, so they are routinelyattacked by ransomware, which encrypts all data on infected computers and systems, forcing victims to pay a ransom to restore their access. The attacks can take down essential and even life-saving services for weeks, and they cost millions of dollars to fix.
Is America prepared?
Cybersecurity expert Bruce Schneiers answer was brief and to the point: No.
Security experts have warned for yearsnow that Iran would ramp up its cyberattacks on America in frequency and severity, especially since the election of President Trump, an exceedingly vocal opponent of the regime who pulled the US out of its nuclear deal with Iran.
Last October, Microsoft reported that an Iran-linked hacker group attempted to access email accounts associated with political journalists and an unnamed presidential campaign. That same month, Facebook revealed that Iranian groups created fake accounts to disseminate propaganda something Iran has done several times in the past.
Given this latest development, American businesses must bolster their cyber defenses against spear-phishing, DDoS, ransomware and, most commonly used on Iranian neighbors, wiper attacks, Bill Conner, CEO of SonicWall, told Recode.
These types of attacks used maliciously and designed to sniff out human and/or network weaknesses could ultimately bypass a countrys most-relied-upon defenses and security controls in what would be a historical asymmetric cyberattack, Conner added.
America has launched several cyberattacks of its own on Iran, reportedly as recently as last June, September, and December. Defensively, government officials and agencies have warned Americans to take security precautions. Last June, the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) warned that there was a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.
This week, after Soleimanis killing, CISA director Chris Krebs linked back to the statement:
Given recent developments, re-upping our statement from the summer.
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure youre also watching third party accesses! https://t.co/4G1P0WvjhS
Chris Krebs (@CISAKrebs) January 3, 2020
The DHSs acting secretary, Chad Wolf, also tweeted that organizations should be prepared for cyber threats:
A good reminder from @CISAGov: In times of heightened threats, organizations should increase monitoring, back up systems, implement multifactor authentication, & have an incident response plan ready. More info on threats & prevention/preparedness tips at https://t.co/QrJdBOeEJz
Acting Secretary Chad Wolf (@DHS_Wolf) January 5, 2020
Worryingly, the Trump administration eliminated the National Security Councils cybersecurity coordinator position in 2018. The Obama administration-created post was responsible for coordinating cybersecurity efforts across government agencies.
And the State Departments Coordinator for Cyber Issues position has been empty since 2017. The US Government Accountability Office currently recommends that the government take urgent action against cyberthreats, considering it a high risk issue.
Whats next
So far, the only known possible Iranian attack on the US was a brief hack last Saturday of the website of the Federal Depository Library Program, a little-known agency that distributes government publications to libraries across the country. The sites homepage was replaced with an image of President Trump being punched in the face, alongside a message blaming the hack on Soleimanis death and promising more.
The attack is not believed to have caused any damage beyond the brief defacement, and the CISA told CBS News that it could not even confirm that Iran was behind the attack. An unnamed official called it a nothing event.
Still, many cybersecurity experts are concerned that if Americas public and private sectors dont prepare for Irans most likely response, it may not be a nothing event. Lisa Monaco, President Obamas homeland security and counterterrorism adviser, recently wrote in the Washington Post that the most immediate threat from Iran was a cyberattack on financial institutions and infrastructure.
The biggest question now, she wrote, is if Americans are prepared for whatever form Irans retaliation will take.