The United States ran a full-court press against Iranian hackers last week, including indictments from the Department of Justice, the FBI identifying malware used in attacks, and the addition of government-aligned hackers to the sanctions list by Treasury.
In theory, increasing pressure against a foreign group may cause a pause in operations. Alternately, sanctions can spur countries like Iran to seek retaliation, or encourage new espionage. What does the flurry actions against Iran suggest about how the threat will change moving forward, particularly for industries like aerospace and non-governmental groups targeted in the past?
It would be unlike Iran to pause operations, said Sarah Jones, senior principal analayst at Mandiant threat intelligence.
"With some APT groups, we've seen lulls to retool when they've been exposed," she said. "There's sometimes a break. From what we've seen in the past, Iranian actors don't retool."
An increase in Iranian threats could take multiple forms. On September 18, for example, amid all the federal activity, the city of Carmel, Indiana reported that a website had been defaced by hackers claiming to be from Iran. Defacements as retaliation were a component of the indictments – then allegedly in response to the U.S. strike killing Iranian Major General Qassim Suliemani.
The federal actions show the full range of actors who might respond, noted Jones, from Iranian inspired hacktivists to more formal government actors.
"As is typical in these situations, it is very likely that there will be increased Iranian threat actor activity in response to the U.S. restoring international sanctions on the country effective Sept. 19," noted Crowdstrike Vice President of Intelligence Adam Meyer by email. He went on to note that other geopolitical stressors might impact Iran's decisions, including U.S.-led deals for Arab nations to normalize relationships with Israel.
Given such tensions, CISOs need ensure a response strategy is in place, should Iranian attacks target systems in their sector. That means, said Jones, watching for the indicators of compromise and Iran-specific malware released by the government.
And, as DarkTrace's director for intelligence and analysis Justin Fier noted, make sure you can handle the off-the-shelf and living-off-the-land tools Iranian actors were caught using, like Metasploit and Mimikatz.
"If I'm a CISO, I'm looking to my team and asking if we could stop tools teenagers have access to, he said.