Pierluigi Paganini January 04, 2020

US Government fears a new wave of cyber attacks from Iran as retaliation for the airstrike that killed Maj. Gen. Qassim Suleimani at the Baghdad airport in Iraq.

Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency (CISA) warned of a potential new wave of cyber attacks carried out by Iran-linked hacker groups targeting U.S. assets.

The attacks could be the response of the Iranian cyber unit after Maj. Gen. Qassim Suleimani was killed by a U.S. drone airstrike at the Baghdad airport in Iraq.

“Given recent developments, re-upping our statement from the summer,” Krebs explained in Tweet. 

“Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS,” he added. “Make sure you’re also watching third party accesses!”

“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.” reads the advisory published by CISA.

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”

The advisory urges administrators of the assets to implement basic defenses and immediately reports any information or suspects in ongoing attacks.

“The Department of Homeland Security stands ready to confront and combat any and all threats facing our homeland,” states the Acting Secretary Chad F. Wolf.

“While there are currently no specific, credible threats against our homeland, DHS continues to monitor the situation and work with our Federal, State and local partners to ensure the safety of every American.”

In June 2019, US DHS CISA agency already warned of increased cyber-activity from Iran aimed at spreading data-wiping malware through password spraying, credential stuffing, and spear-phishing.

The attacks were targeting U.S. industries and government agencies, the statement was also published by the CISA Director Chris Krebs via his Twitter account.

The statement warned of targeted attacks carried out by the Iranian affiliated actors that leverage data-wiper specifically designed to permanently destroy data of infected systems.

Wiper attacks have been used in the past by state actors or as decoys for other attacks, which are described later in the article.

Experts recommended to have secure working backup procedures, in case of attack, victims could simply recover data from a backup.

The statement also highlights the risks related to account compromise that could represent the entry point in a targeted network.

Past attacks attributed to Iran-linked hackers are:

• 2012 – Shamoon wiped over 30,000 computers at Saudi Aramco.
• 2016 – Shamoon 2 spread in the wild.
• 2017- NotPetya leveraged the EternalBlue exploit to spread to vulnerable systems.
• 2017 – anti-Israel & pro-Palestinian data wiper dubbed IsraBye that is spread as a ransomware.
• 2018 – KillDisk was involved in a wave of SWIFT attacks against banks worldwide.
• 2018 – Olympic Destroyer malware was used in attacks against Olympic Winter Games in Pyeongchang, and later in a new wave of attacks against organizations in Germany, France, the Netherlands, Russia, Switzerland, and Ukraine.

While the world and cyber security community is waiting for a spike in the cyber attacks carried out by Iran-linked APT groups, I believe that their level of sophistication will not rapidly increase and we cannot underestimate the risk of false flag operations conducted by other nation-state actors.

Pierluigi Paganini

(SecurityAffairs – Iran, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]