Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12:40 PM

Companies on Watch After US, Iran Claim Cyberattacks

With the cyber conflict between the United States and Iran ramping up, companies traditionally targeted by the countries - such as those in the oil and gas and financial industries - need to bolster their security efforts, experts say.

With tensions ratcheting up in the Middle East — and both the US and Iran claiming to have begun offensive cyber operations — critical infrastructure companies and firms with links to the region need to take a heightened security posture, cyberattack and cyber espionage experts say.

In the past, Iran's cyber operators and proxies have attacked companies with wiper software that deleted data and, more recently, targeted safety systems at critical infrastructure firms, such as oil and gas providers and electric utilities. The country has also conducted wide-ranging cyber espionage attacks against other countries and organizations in the region, as well as deployed surveillance software against dissidents and political targets.

Companies, government agencies, and other organizations should look at those capabilities and targets and determine whether they might be in any of those categories, says Ben Read, senior manager of cyber espionage analysis at FireEye.

"Companies need to ask: Has my sector been targeted before?" he says. "They don't see these activities in a vacuum, so companies that have done business in the region should, perhaps, have more concern — the oil and gas and financial industries, for example."

On June 20, the US Cyber Command attacked Iranian computer systems used to control air defense systems and missile launchers, targeting an Iranian intelligence group that the Trump administration claims took part in previous attacks on oil tankers, US officials told multiple news organizations. For its part, Iranian proxies reportedly launched attacks against the US on the same day.

Given the history of cyber operations, and the general lack of repercussions for the attacking nations, the option of launching cyberattacks is seen as an option that minimizes the chance of escalation, said Mike Rogers, former director of the National Security Agency and former head of the US Cyber Command, at the Cyberweek conference in Israel. 

"The US and Iran both view cybersecurity as a potential response option that offers lower risk than a kinetic or military strike," he said. "So we will continue to see more of this because it doesn't necessarily trigger an escalatory response from the other side.”

The latest spate of attacks followed the downing of a US drone by Iran's military. The US government claims that the drone was in international airspace, while Iran claims the drone was in its territory.

An Escalation for US Firms
For companies, however, the increase in cyber operations between the two countries could result in increased attack activity. 

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) warned companies and industries in the United States to shore up their basic defenses, deploying hardening technologies such as multifactor authentication to ward off increased attacks.

"Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money," said CISA director Christopher Krebs in a statement. "These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network."

In many cases, US companies are not up for the challenge. In a recent study, real-time monitoring firm Endace found that almost 90% of surveyed firms did not have good visibility into network activity. 

Iran's Skilled Attackers
Iran's cyber capability is significant. Its 2012 attack against Saudi Arabia's state-owned oil company Saudi Aramco resulted in the destruction of data on tens of thousands of hard drives. More recently, attacks against oil and gas companies and electric utilities that targeted a specific type of safety system has also been linked to Iranian actors.  

FireEye has attributed multiple attacks against large companies to Iranian cyberattackers, including one it has been tracking for more than four years. The group — labeled "APT39" by FireEye, Helix Kitten by CrowdStrike, and Chafer by Symantec — has targeted telecommunications, travel, and technology firms.

"Iran certainly has gotten into lots of US companies," FireEye's Read says. "I know because we have responded to incidents and had to kick them out."

In the "Worldwide Threat Assessment of the U.S. Intelligence Community," an annual report delivered to the US Congress, director of national intelligence Daniel Coats warned that Iran's cyber capabilities pose an increasing threat to US companies.

"Iran uses increasingly sophisticated cyber techniques to conduct espionage," he stated. "It is also attempting to deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries."

He added: "[Iran] is capable of causing localized, temporary disruptive effects — such as disrupting a large company's corporate networks for days to weeks — similar to its data deletion attacks against dozens of Saudi governmental and private-sector networks in late 2016 and early 2017."

Back to Basics
Security experts stress that companies need to do the basics well. The US Department of Homeland Security prodded firms to deploy multifactor authentication to stymie account takeovers and urged firms to work on speeding up their incident response.

FireEye's Read also recommends that companies make sure they are doing the basics consistently.

"Doing the basics right is the most important thing for security," he says. "If you already are doing that, take it to the next level — look at the tactics of specific adversaries and make sure you can spot those in your own network."

In the end, while the US and Iran gear up for cyber operations, businesses will find themselves at the front lines.

Related Content


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/27/2019 | 2:10:54 PM
US claims cyber-attacks.
Thank you for this well written post. I was reading some of the information submitted; this is a result of the attack on Iranian cubterfuges that occurred years ago (yeah, this came from us - Stuxnet). At this point, we will be held responsible for the covert actions of a government that has run rampant in their cyber-kill chain (literally).
"The US and Iran both view cybersecurity as a potential response option that offers lower risk than a kinetic or military strike," he said. "So we will continue to see more of this because it doesn't necessarily trigger an escalatory response from the other side."

I agree with this assertion, look at what we are doing (US):
  • Stuxnet - 2010, Triton, Nitro Zeus, and Pegasus/Trident.

I mean at some point, we had to know that they were going to reverse engineer this virus and unleash a Cyber-Apocalypse on the US. I am not so sure if our utility infrastructrure will be able to handle it . Also, remember, they have tried this already with Triton, thankfully this was thwarted most recently https://ubm.io/2IFcbA0 (Triton Attack). This is what "FireEye" said about the attack - https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

  • The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.
    This sounds very similar to Stuxnet (we made this), we need to initiate a "a stand-down" order on the attacks we are initiating from the US to other OCONUS locations or this situation will only get worse. A word to the wise, I think we have been warned enough and we continue to play with fire.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: "Network congestion ahead."
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
An authentication brute-force protection mechanism bypass in telnetd in D-Link Router model DIR-842 firmware version 3.0.2 allows a remote attacker to circumvent the anti-brute-force cool-down delay period via a timing-based side-channel attack
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware where IOCTL's 0x80002014, 0x80002018 expose unrestricted disk read/write capabilities respectively. A non-privileged process can open a handle to \.\ZemanaAntiMalware, register with the driver using IOCTL 0x8000201...
PUBLISHED: 2021-05-17
Incorrect access control in zam64.sys, zam32.sys in MalwareFox AntiMalware allows a non-privileged process to open a handle to \.\ZemanaAntiMalware, register itself with the driver by sending IOCTL 0x80002010, allocate executable memory using a flaw in IOCTL 0x80002040, install a hook wit...
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of validation and insecure configurations in inputs and modules.
PUBLISHED: 2021-05-17
Intelbras Router RF 301K Firmware 1.1.2 is vulnerable to Cross Site Request Forgery (CSRF) due to lack of security mechanisms for token protection and unsafe inputs and modules.