Alert! Potential Iranian Cyber Responses to U.S. Military Actions

A Cybersecurity Alert has been issued by the Department of Homeland Security

If you have been following the news lately, you may have heard about recent events between the United States and Iran. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding Iran’s historic use of cyber offense activities and has given recommendations for business’ to follow.

The CISA has recommended taking the following actions:

  1. Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
  2. Increase organizational vigilance. Ensure security personnel is monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTP) for immediate response.
  3. Confirm reporting processes. Ensure personnel knows how and when to report an incident. The well-being of an organization’s workforce and cyberinfrastructure depends on the awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below).
  4. Exercise organizational incident response plans. Ensure personnel is familiar with the key steps they need to take during an incident. Do they have the access they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel is positioned to act in a calm and unified manner.

It isn’t just government organizations at risk. The financial industry, energy companies, chemical plants, healthcare, critical manufacturing, communications, and the defense industrial base, are all at risk.

Iran’s past cyber activity against American companies have included:

  • DDoS Attacks targeting the U.S. financial sector, which primarily focused on U.S. banks and cost millions of dollars in remediation.
  • The Bowman Rye Dam in New York, when they were able to gain access to information regarding the status and operation of the dam.
  • The Sands Las Vegas Corporation, where they stole customer data, which included credit card data, social security numbers, and driver’s license numbers. Then, they completely wiped the Sands’ computer systems.
  • From 2013 to 2017 they also targeted 144 U.S. universities, 47 domestic and private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund. Those thefts targeted both academic and intellectual property as well as email credentials.

Credible Offensive Threats

Iran has continuously improved its capabilities, and can even go beyond DDoS attacks. They may even include data-wiping malware. In October, Microsoft disclosed Iranian state-sponsored hackers were attempting to access government official emails. Last year, Twitter deleted nearly 5,000 accounts which were backed or associated with the Iranian government. Recently, IBM warned of a new wiper malware called ZeroClear which aims to overwrite the master boot record and disk partitions in Windows-based machine.

Digital spying, phishing, social media campaigns, and malware are all a potential risk from Iran if they use cyber warfare. A lot of damage can be done.

In today’s digital landscape, it isn’t just the military and defense industry that have legitimate reasons to be concerned about cyber terrorism and state-sponsored cyber attacks. Financial services, retail, or healthcare have all have data, which if stolen, could cause a disruption in the American economy.

CISA has a set of recommended actions for organizations to take in the face of potential threats:

  • Disable all unnecessary ports and protocols, review managed network security solutions device logs, and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  • Enhance monitoring of the network and email traffic, monitor for new phishing themes.
  • Patch externally facing equipment, with a focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service.
  • Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  • Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.

If your company has been following cybersecurity best practices and runs a tight ship regarding your cybersecurity then you likely have little to worry about; however, a flaw in your cybersecurity defenses could be a much bigger deal, especially if you store sensitive data like social security numbers or medical information.

Security best practices should include:

  • A strong password policy
  • Multi-layered cybersecurity defenses
  • Keeping all of your software and applications up to date
  • Training all of your employees to be able to spot phishing emails
  • Monitor both user and file activity
  • Use multi-factor identification

Custom Information Services has been in business since 1989 and has helped hundreds of organizations fortify and strengthen their cybersecurity defenses.

Published On: January 7, 2020Categories: Cybersecurity