With tensions ratcheting up in the Middle East — and both the US and Iran claiming to have begun offensive cyber operations — critical infrastructure companies and firms with links to the region need to take a heightened security posture, cyberattack and cyber espionage experts say.
In the past, Iran's cyber operators and proxies have attacked companies with wiper software that deleted data and, more recently, targeted safety systems at critical infrastructure firms, such as oil and gas providers and electric utilities. The country has also conducted wide-ranging cyber espionage attacks against other countries and organizations in the region, as well as deployed surveillance software against dissidents and political targets.
Companies, government agencies, and other organizations should look at those capabilities and targets and determine whether they might be in any of those categories, says Ben Read, senior manager of cyber espionage analysis at FireEye.
"Companies need to ask: Has my sector been targeted before?" he says. "They don't see these activities in a vacuum, so companies that have done business in the region should, perhaps, have more concern — the oil and gas and financial industries, for example."
On June 20, the US Cyber Command attacked Iranian computer systems used to control air defense systems and missile launchers, targeting an Iranian intelligence group that the Trump administration claims took part in previous attacks on oil tankers, US officials told multiple news organizations. For its part, Iranian proxies reportedly launched attacks against the US on the same day.
Given the history of cyber operations, and the general lack of repercussions for the attacking nations, the option of launching cyberattacks is seen as an option that minimizes the chance of escalation, said Mike Rogers, former director of the National Security Agency and former head of the US Cyber Command, at the Cyberweek conference in Israel.
"The US and Iran both view cybersecurity as a potential response option that offers lower risk than a kinetic or military strike," he said. "So we will continue to see more of this because it doesn't necessarily trigger an escalatory response from the other side.”
The latest spate of attacks followed the downing of a US drone by Iran's military. The US government claims that the drone was in international airspace, while Iran claims the drone was in its territory.
An Escalation for US Firms
For companies, however, the increase in cyber operations between the two countries could result in increased attack activity.
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) warned companies and industries in the United States to shore up their basic defenses, deploying hardening technologies such as multifactor authentication to ward off increased attacks.
"Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money," said CISA director Christopher Krebs in a statement. "These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network."
In many cases, US companies are not up for the challenge. In a recent study, real-time monitoring firm Endace found that almost 90% of surveyed firms did not have good visibility into network activity.
Iran's Skilled Attackers
Iran's cyber capability is significant. Its 2012 attack against Saudi Arabia's state-owned oil company Saudi Aramco resulted in the destruction of data on tens of thousands of hard drives. More recently, attacks against oil and gas companies and electric utilities that targeted a specific type of safety system has also been linked to Iranian actors.
FireEye has attributed multiple attacks against large companies to Iranian cyberattackers, including one it has been tracking for more than four years. The group — labeled "APT39" by FireEye, Helix Kitten by CrowdStrike, and Chafer by Symantec — has targeted telecommunications, travel, and technology firms.
"Iran certainly has gotten into lots of US companies," FireEye's Read says. "I know because we have responded to incidents and had to kick them out."
In the "Worldwide Threat Assessment of the U.S. Intelligence Community," an annual report delivered to the US Congress, director of national intelligence Daniel Coats warned that Iran's cyber capabilities pose an increasing threat to US companies.
"Iran uses increasingly sophisticated cyber techniques to conduct espionage," he stated. "It is also attempting to deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries."
He added: "[Iran] is capable of causing localized, temporary disruptive effects — such as disrupting a large company's corporate networks for days to weeks — similar to its data deletion attacks against dozens of Saudi governmental and private-sector networks in late 2016 and early 2017."
Back to Basics
Security experts stress that companies need to do the basics well. The US Department of Homeland Security prodded firms to deploy multifactor authentication to stymie account takeovers and urged firms to work on speeding up their incident response.
FireEye's Read also recommends that companies make sure they are doing the basics consistently.
"Doing the basics right is the most important thing for security," he says. "If you already are doing that, take it to the next level — look at the tactics of specific adversaries and make sure you can spot those in your own network."
In the end, while the US and Iran gear up for cyber operations, businesses will find themselves at the front lines.
- Utilities, Nations Need Better Plan Against Critical Infrastructure Attackers
- TRITON Attacks Underscore Need for Better Defenses
- Iran Ups its Traditional Cyber Espionage Tradecraft
- Trump Makes US Cyber Command an Official Combat Arm
- 30,000 Machines Infected In Targeted Attack On Saudi Aramco