Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

6/25/2019
12:40 PM
50%
50%

Companies on Watch After US, Iran Claim Cyberattacks

With the cyber conflict between the United States and Iran ramping up, companies traditionally targeted by the countries - such as those in the oil and gas and financial industries - need to bolster their security efforts, experts say.

With tensions ratcheting up in the Middle East — and both the US and Iran claiming to have begun offensive cyber operations — critical infrastructure companies and firms with links to the region need to take a heightened security posture, cyberattack and cyber espionage experts say.

In the past, Iran's cyber operators and proxies have attacked companies with wiper software that deleted data and, more recently, targeted safety systems at critical infrastructure firms, such as oil and gas providers and electric utilities. The country has also conducted wide-ranging cyber espionage attacks against other countries and organizations in the region, as well as deployed surveillance software against dissidents and political targets.

Companies, government agencies, and other organizations should look at those capabilities and targets and determine whether they might be in any of those categories, says Ben Read, senior manager of cyber espionage analysis at FireEye.

"Companies need to ask: Has my sector been targeted before?" he says. "They don't see these activities in a vacuum, so companies that have done business in the region should, perhaps, have more concern — the oil and gas and financial industries, for example."

On June 20, the US Cyber Command attacked Iranian computer systems used to control air defense systems and missile launchers, targeting an Iranian intelligence group that the Trump administration claims took part in previous attacks on oil tankers, US officials told multiple news organizations. For its part, Iranian proxies reportedly launched attacks against the US on the same day.

Given the history of cyber operations, and the general lack of repercussions for the attacking nations, the option of launching cyberattacks is seen as an option that minimizes the chance of escalation, said Mike Rogers, former director of the National Security Agency and former head of the US Cyber Command, at the Cyberweek conference in Israel. 

"The US and Iran both view cybersecurity as a potential response option that offers lower risk than a kinetic or military strike," he said. "So we will continue to see more of this because it doesn't necessarily trigger an escalatory response from the other side.”

The latest spate of attacks followed the downing of a US drone by Iran's military. The US government claims that the drone was in international airspace, while Iran claims the drone was in its territory.

An Escalation for US Firms
For companies, however, the increase in cyber operations between the two countries could result in increased attack activity. 

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) warned companies and industries in the United States to shore up their basic defenses, deploying hardening technologies such as multifactor authentication to ward off increased attacks.

"Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money," said CISA director Christopher Krebs in a statement. "These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network."

In many cases, US companies are not up for the challenge. In a recent study, real-time monitoring firm Endace found that almost 90% of surveyed firms did not have good visibility into network activity. 

Iran's Skilled Attackers
Iran's cyber capability is significant. Its 2012 attack against Saudi Arabia's state-owned oil company Saudi Aramco resulted in the destruction of data on tens of thousands of hard drives. More recently, attacks against oil and gas companies and electric utilities that targeted a specific type of safety system has also been linked to Iranian actors.  

FireEye has attributed multiple attacks against large companies to Iranian cyberattackers, including one it has been tracking for more than four years. The group — labeled "APT39" by FireEye, Helix Kitten by CrowdStrike, and Chafer by Symantec — has targeted telecommunications, travel, and technology firms.

"Iran certainly has gotten into lots of US companies," FireEye's Read says. "I know because we have responded to incidents and had to kick them out."

In the "Worldwide Threat Assessment of the U.S. Intelligence Community," an annual report delivered to the US Congress, director of national intelligence Daniel Coats warned that Iran's cyber capabilities pose an increasing threat to US companies.

"Iran uses increasingly sophisticated cyber techniques to conduct espionage," he stated. "It is also attempting to deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries."

He added: "[Iran] is capable of causing localized, temporary disruptive effects — such as disrupting a large company's corporate networks for days to weeks — similar to its data deletion attacks against dozens of Saudi governmental and private-sector networks in late 2016 and early 2017."

Back to Basics
Security experts stress that companies need to do the basics well. The US Department of Homeland Security prodded firms to deploy multifactor authentication to stymie account takeovers and urged firms to work on speeding up their incident response.

FireEye's Read also recommends that companies make sure they are doing the basics consistently.

"Doing the basics right is the most important thing for security," he says. "If you already are doing that, take it to the next level — look at the tactics of specific adversaries and make sure you can spot those in your own network."

In the end, while the US and Iran gear up for cyber operations, businesses will find themselves at the front lines.

Related Content

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
50%
50%
tdsan,
User Rank: Ninja
6/27/2019 | 2:10:54 PM
US claims cyber-attacks.
Thank you for this well written post. I was reading some of the information submitted; this is a result of the attack on Iranian cubterfuges that occurred years ago (yeah, this came from us - Stuxnet). At this point, we will be held responsible for the covert actions of a government that has run rampant in their cyber-kill chain (literally).
"The US and Iran both view cybersecurity as a potential response option that offers lower risk than a kinetic or military strike," he said. "So we will continue to see more of this because it doesn't necessarily trigger an escalatory response from the other side."

I agree with this assertion, look at what we are doing (US):
  • Stuxnet - 2010, Triton, Nitro Zeus, and Pegasus/Trident.

I mean at some point, we had to know that they were going to reverse engineer this virus and unleash a Cyber-Apocalypse on the US. I am not so sure if our utility infrastructrure will be able to handle it . Also, remember, they have tried this already with Triton, thankfully this was thwarted most recently https://ubm.io/2IFcbA0 (Triton Attack). This is what "FireEye" said about the attack - https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

  • The TRITON malware contained the capability to communicate with Triconex SIS controllers (e.g. send specific commands such as halt or read its memory content) and remotely reprogram them with an attacker-defined payload. The TRITON sample Mandiant analyzed added an attacker-provided program to the execution table of the Triconex controller. This sample left legitimate programs in place, expecting the controller to continue operating without a fault or exception. If the controller failed, TRITON would attempt to return it to a running state. If the controller did not recover within a defined time window, this sample would overwrite the malicious program with invalid data to cover its tracks.
    This sounds very similar to Stuxnet (we made this), we need to initiate a "a stand-down" order on the attacks we are initiating from the US to other OCONUS locations or this situation will only get worse. A word to the wise, I think we have been warned enough and we continue to play with fire.
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17545
PUBLISHED: 2019-10-14
GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
CVE-2019-17546
PUBLISHED: 2019-10-14
tif_getimage.c in LibTIFF through 4.0.10, as used in GDAL through 3.0.1 and other products, has an integer overflow that potentially causes a heap-based buffer overflow via a crafted RGBA image, related to a "Negative-size-param" condition.
CVE-2019-17547
PUBLISHED: 2019-10-14
In ImageMagick before 7.0.8-62, TraceBezier in MagickCore/draw.c has a use-after-free.
CVE-2019-17501
PUBLISHED: 2019-10-14
Centreon 19.04 allows attackers to execute arbitrary OS commands via the Command Line field of main.php?p=60807&type=4 (aka the Configuration > Commands > Discovery screen).
CVE-2019-17539
PUBLISHED: 2019-10-14
In FFmpeg before 4.2, avcodec_open2 in libavcodec/utils.c allows a NULL pointer dereference and possibly unspecified other impact when there is no valid close function pointer.