According to a U.S. Department of Homeland Security (DHS) warning issued January 4, 2020, the government is preparing for the potential of Iran-sponsored cyberattacks following the January 3rd airstrike which killed Iranian commander Qasem Soleimani.
The warning, issued over the National Terrorism Advisory System, announced that there is no proof or information indicating a specific, credible threat at this time. However, it warned of U.S. infrastructure targets and the existence of a “robust cyber program” within Iran’s defenses.
While some expect Iran to deescalate tensions due to limited military power in comparison, the nation’s cyber capabilities could pose a serious threat if acted upon.
Iran’s Cyber Capabilities
For years, Iran has been commonly listed as one of the top four countries that pose the biggest cyber threat to the United States, just behind Russia and China. In 2018, the National Counterintelligence and Security Center stated:
“We anticipate that China, Russia, and Iran will remain aggressive and capable collectors of sensitive U.S. economic information and technologies… We believe that Iran will continue working to penetrate U.S. networks for economic or industrial espionage purposes.”
Foreign affairs experts note that during General Soleimani’s time overseeing military and intelligence, the country greatly increased its cyber capabilities. Since 2012, Iranian hacking groups have been linked to several large-scale cyberattacks, with targets including American banks, universities, oil suppliers, nuclear plants, and other organizations that make up the nation’s critical infrastructure. In a report first released in 2014 by a U.S. cybersecurity company, now Blackberry Cylance, details of Iranian hacking capabilities were shared along with a detailed analysis of a specific coalition of hackers and initiatives dubbed “Operation Cleaver,” which linked the team to multiple early-2010’s instances of industrial sabotage and espionage. Iranian hacking groups and sabotage initiatives have continued up to as recent as the end of last year, when group APT33 was linked to physically disruptive cyberattacks on critical infrastructure.
Backed by Iranian government, hacking groups like these could escalate their attacks and cause significant impact on U.S. critical infrastructure.
Learn more about other Iranian threat groups: APT39 | OilRig | CopyKittens | Leafminer | View All Identified Threat Groups on Mitre ATT&CK
Operation Cleaver – 2014
Operation Cleaver, a code name representing a coalition of cyberattacks by groups including one Iranian team called Tarh Andishan, has targeted critical infrastructure around the world since at least 2011, according to the report last updated in 2016. Analysts speculate that the attacks associated with Operation Cleaver may have been linked to Iranian retaliation for attacks of which they were a target, including the infamous Stuxnet.
The targets and victims of Operation Cleaver were identified to include hospitals, utility companies, airlines, government sites, and other critical infrastructure sites within the United States, Canada, China, Pakistan, South Korea, and more. Cylance’s investigation discovered more than 50 victims, which included ten victims in the U.S. – a major airline, medical university, natural gas production company, automobile manufacturers, and defense contractors.
The evidence collected by the investigation proved Iran’s cyber capabilities to compromise critical infrastructure in serious ways, nearly six years before the current threat of retaliation against the U.S. arose. These capabilities included the use of malware, SQL injection, backdoor installation, data exfiltration, and more. The group was even, at one time, successful in utilizing these techniques to fully compromise credentials, access payment systems, and gain control over transportation networks and security systems within airports.
For more information on the tactics, techniques, and tools used in Operation Cleaver, read the report here.
What does this mean for the U.S., and what does it mean for organizations like yours?
To start, cybersecurity should be at the forefront of everyone’s priorities as we monitor the actions of our adversaries. No matter the size of your business, the work you do has an impact in your community and that makes you a viable target for any scale of cyberattack.
Attacks on national infrastructure often involve more than one primary target. In fact, large organizations and corporations are at risk of being breached through their network of partnerships and service providers, as seen in the Target breach. An attack on an organization like yours could be an early step in a larger scheme, despite the idea that you may be “too small” or unimportant to be a target for hacking campaigns.
If your organization operates in an industry that is linked to or could be associated with local, municipal, or even national infrastructure—from finance, to energy, to transportation—it is important that your network security is strong enough to defend against nation-state level attacks.
For more information about defending against common adversaries, read more about cybersecurity bundles.
If this information has brought your cybersecurity posture to mind, reach out to us to talk to an expert and examine where you currently stand. We’re in this fight together.