perm_phone_msgConsider your business risks? Chat With US

Disk-wiping malware, phishing and espionage: How Iran’s cyber attack capabilities stack up

Ransomware BCyber todayJanuary 8, 2020 97

share close
Security is going to get weirder in 2020 Steve Ranger tells Karen Roby about how new and unexpected threats will keep the cybersecurity team busy all year. Read more: https://zd.net/39BbLWz

Tensions between the United States and Iran are raised after the killing of Iranian IRGC-Quds Force commander Qassem Soleimani via a US drone strike while he was in Iraq. Iranian leaders have vowed to retaliate against the US, with the US Department of Homeland Security warning that previous Iranian plans have included “cyber-enabled” attacks against a range of US targets. 

So, if Iran decided to use cyber means to respond, what would that potentially look like?

Iran has long been seen as one of the four countries that pose the greatest online threats to the US, along with China, Russia and North Korea, and there has been a long history of Iranian cyberattacks against the US.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

In March 2018, the US Department of Justice charged nine Iranians over a giant cyber-theft campaign, stealing more that 31 terabytes of documents and data from more than 140 American universities and 30 American companies.

In March 2016, the US charged seven Iranians for over a coordinated campaign of DDoS attacks against 46 companies, mostly in the US financial sector, from late 2011 through mid-2013. At the same time one man was also charged with gaining unauthorised access into the control systems of the Bowman Dam in Rye, NY.

The February 2014 hacking of the Sands Las Vegas Corporation in Las Vegas, which saw customer data stolen and — according to reports — some computers wiped, was also blamed on Iran.

The US has also used cyberattacks against Iran — most notably the Stuxnet virus, which was designed to damage equipment used in Iran’s nuclear programme, back in 2007. More recently in June last year, the US attacked the computer systems used by Iran to control missile launches, after Iran shot down a US surveillance drone.

Iran’s capabilities have been generally seen as more limited than those of Russia and China, but may have expanded recently.

In their most recent global threat assessment — from January last year — the US intelligence agencies said that Iran was attempting to build cyber capabilities that would enable attacks against critical infrastructure in the US and elsewhere.

“Iran has been preparing for cyberattacks against the United States and our allies”, said the report, which warned that Iran was capable of causing “localized, temporary disruptive effects.” Examples include disrupting a large company’s corporate networks for days to weeks, as in the data-wiping attacks Iran has been accused of conducting against targets in Saudi Arabia.

That’s in contrast to Russia and China, which both have the capacity to disrupt critical infrastructure like gas pipelines or power grids.

However, last week’s warning from the US Department of Homeland Security went further. “Iran maintains a robust cyber program and can execute cyberattacks against the United States,” it warned, adding that Iran is capable, at a minimum “of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

A credible offensive actor

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that Iran has continuously improved its offensive cyber capabilities, going beyond DDoS and website defacement, and has demonstrated a willingness to push further, including “destructive wiper malware and, potentially, cyber-enabled kinetic attacks”.

“Iran is a credible offensive actor in cyberspace having moved in recent years to boost their military capability in this area — in the past, they relied on third-party groups and supportive hackers to carry out attacks,” said Duncan Hodges, senior lecturer in Cyberspace Operations at Cranfield University.

Iran’s cyber capabilities can be broken down into three main areas; espionage, destructive attacks and social media manipulation (security companies track different Iranian groups under the advanced persistent threat (APT) model as APT33, APT34, APT35 and APT39.)

It has targeted government officials, government organisations, and companies to gain intelligence either for industrial espionage or to improve its positioning for future attacks.

For example, in October, Microsoft warned that its security team had seen Iranian hackers attack 241 email accounts, including those associated with a US presidential campaign, current and former US government officials, journalists covering global politics, and prominent Iranians living outside Iran. Four accounts were compromised as a result. Iranian hackers have also been accused of trying to steal data from US military veterans and attempting to steal academic research.

Iran has also used social media campaigns focused on audiences in the US and elsewhere to advance its interests.

Also in October, Facebook said it had removed three networks of fake accounts linked to Iran (and one linked to Russia) that had, among other things, pushed content from phoney news organisations.

But it’s the use of malware that can wipe PCs and hard drives that Iran’s hackers are probably best known for.

The 2012 attack against the Saudi Aramco oil company using the Shamoon malware is probably the most high-profile cyberattack blamed on Iran. It saw at least 30,000 PCs wiped by the extremely destructive malware.

Since then, according to tech security companies, updated versions of this wiper malware have been used by Iran-backed hackers (or groups masquerading as Iran-backed hackers) to attack targets in Saudi Arabia and the Middle East.

Last month IBM warned of a new form of wiper malware it called ZeroCleare, which aims to overwrite the Master Boot Record and disk partitions on Windows-based machines. IBM said the malware had been used against the industrial and energy sectors and said that Iran-backed hackers were likely responsible.

“Iran’s history of cyberattacks has been more destructive rather than manipulative. They have looked to destroy and degrade infrastructure and hardware,” said Hodges.

Cyber-espionage alert

All of these different ingredients — digital spying, phishing, social media campaigns and destructive malware — are all potential risks if Iran does decide to use cyber warfare as part of its response.

John Hulquist, director of intelligence analysis at tech security company FireEye, said that a likely first consequence of the current crisis would be an uptick in cyber espionage by Iran.

“They want to know what the US is thinking and how the military is preparing and what our allies are doing. They are going to try to break into the computers belonging to the people who have that information,” he told ZDNet.

While Tehran-backed hacking groups have carried out some attacks against the US previously, like the DDoS attacks against financial institutions, this had declined after the Obama-era nuclear deal, after which Iranian hackers turned their attention to targets in the Gulf region, Hulquist said. But the latest incident could cause them to swing their focus back again.

“They have improved since we last saw them in the US,” Hulquist said. “They are very focused on the destructive wiper capability. We’ve seen a lot of incidents of this wiping capability used primarilly against critical infrastructure companies.”

Wiper malware is a bit like ransomware in that it goes after the data on the hard disk — but, unlike ransomware, there’s little hope of getting the information back again.

“You can still cause of lot of damage with just wipers and they’ve focused on that and they’ve got really good at it. The real question now is whether or not they are going to turn that against the US or our allies as a result of this operation,” he said.

If Iran does decide to step up its cyber campaigns against the US and its allies, the first indication could be a new wave of phishing emails and probing of critical infrastructure companies or other targets.

“That will be our first clue that the status quo has changed,” said Hulquist.

If Iran does choose cyber means to launch its response, it could mean the start of a new and darker chapter of the evolution of cyber warfare, according to Hodges.

“Offensive cyber activity has been used in the past to de-escalate tensions and avoid physical military engagement, such as in the US/Iran conflict in the Gulf of Oman last year. With the present conflict we could, for the first time, see cyberattacks used to escalate conflict.”

CISA has a set of recommended actions for organisations to take in the face of potential threats:

This content was originally published here.

Written by: BCyber

Rate it
Previous post

Similar posts

Ransomware BCyber / October 19, 2020

Ad-light, Malware-heavy # Chris Dzombak

Ad-light, Malware-heavy Since December 17, Forbes has been running an experiment wherein some fraction of visitors who are running ad blockers are blocked from accessing Forbes articles until they disable their ad blocker. In exchange, Forbes promises an “ad-light experience”: A Forbes article published yesterday claims that this interstitial resulted in 42.4% of visitors turning ...

Read more trending_flat