Application security, Critical Infrastructure Security, Malware, Phishing, Threat Management

No immediate cyberthreat seen over Soleimani killing, but preparation is key

The most recent military portion or the United States’ on-going confrontation with Iran appears to be completed, but chatter is being detected among Iran’s supporters indicating anger over recent events, but none indicate an immediate threat.

However, that does not mean government agencies, companies and others who may find themselves in Iran’s crosshairs should be complacent.

“A country on the other side of the globe could potentially inflict damage on a critical service in the U.S. (i.e. water, power, banking) at a fraction of the cost of a transatlantic ballistic missile. This is why many experts predict that the next major attack on U.S. soil will be cyber in nature,” said Phil Menard, assistant professor at The University of Texas at San Antonio.

That being said cybersecurity analysts do not believe a direct Iranian-cyberattack is imminent, but it is not clear exactly how or when Iranian proxies and closely aligned APT groups will react to the killing of Iranian General Qasem Soleimani last week. A few defacements of government websites have been supposedly conducted in response to the attacks, but Jerome Segura, Malwarebyte’s director of threat intelligence, believes these were the actions of small-time groups.

“So far I think the media has jumped the gun by looking at site defacements and concluding that those are Iran's response. Those are more likely sympathizers using basic tools not requiring any advanced skills. I would think that in the immediate future, attacks (on both sides) will be in the physical field with actual rockets,” he told SC Media.

Allison Wikoff, senior researcher, Secureworks counter threat unit, agreed saying so far what has been observed being said on some dark web sites is not coming from the Iranian government.

“Secureworks has observed emotional responses regarding Soleimani’s killing on some Iranian channels.  Cyber activity sourced from these forums is likely to be the work of individual, patriotic hackers versus government-directed operations,” she said.

What the ceasefire on the military front has not stopped are campaigns and efforts previously launched by Iran, said Sherrod DeGrippo, senior director of threat research and detection at Proofpoint. The groups behind these attacks are most likely simply following through on plans made months ago before tensions between the U.S. and Iran exploded.

“We are seeing Iranian state-sponsored groups continue campaigns that were started in early December 2019. These attacks use targeted, malicious emails to steal user credentials and establish a foothold within organizations,” DeGrippo said.

None of the researchers queried believed Iran itself would tip off any upcoming cyberattacks on the dark web, but so far there has not been any discussion from bystanders indicating a cyberattack had been launched by any of the parties involved.

“It is, however, plausible that they are in the preparation phase and will be considering new strategic targets and/or how to use any existing footholds they maintain in networks of interest,” Wikoff said.

DeGrippo noted that the attacks currently underway are using methods typical for Iran and Iranian backed groups being centered on targeted, malicious emails to steal user credentials and establish a foothold within organizations.

Segura believes these same tactics likely will be used down the road when targets are hit with phishing attacks or watering hole attacks.

Iran and its proxy groups have been blamed for numerous attacks even before Soleimani was killed. This means downplaying any potential threat is a mistake and even organizations that feel well prepared should take extra precautions.

One step is to reduce the attack surface, complete back-to-basics security program updates and make sure employees are trained to identify possible threats. Make sure patches are put in place as known vulnerabilities are a favorite entry point for an attacking APT group.

“Watch what’s coming in and out of the network, and watch what employees are clicking on, opening, and distributing with the company. The smaller the surface, the harder it is for attackers to do anything,” said DeGrippo.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.