US Conflict With Iran Sparks Cybersecurity ConcernsHomeland Security Reminds CISOs to Protect Critical Systems
See Also: The Anatomy of the Solarwinds Attack
After an Iranian general was killed in a U.S. drone strike in Baghdad late Thursday night, security experts and the Department of Homeland Security warned of possible retaliatory cyber strikes from Iran that could target critical infrastructure, government agencies as well as private businesses.
The death of Major General Qasem Soleimani, along with several others, in a U.S. drone strike at a Baghdad airport spurred immediate calls by Iran's leaders for retaliation. The U.S. State Department urged all Americans to leave Iraq as soon as possible, according to the New York Times.
In a statement about the drone attack, the Department of Defense said: "General Soleimani was actively developing plans to attack American diplomats and service members in Iraq and throughout the region."
President Donald Trump, speaking Friday about the killing of the Iranian general, said: “We took action last night to stop a war. We did not take action to start a war.”
In addition to a potential Iranian military strike, security experts are warning that Iran could retaliate with a cyberattack that goes well beyond the type of hacking operation that the U.S. is used to seeing from threat groups associated with the Iranian government (see: Microsoft: Iran-Backed Group Targeted a Presidential Campaign).
On Thursday night, Chris Krebs, the director of the U.S. Cybersecurity and Infrastructure Security Agency, a unit of DHS that oversees security threats to critical infrastructure, posted a tweet that repeated a previous warning about Iranian cyber capabilities.
Krebs noted that organizations should now pay close attention to the security of critical infrastructure, such as industrial control systems that are used at oil and gas facilities as well as water, power and waste treatment plants.
Given recent developments, re-upping our statement from the summer.
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS— Chris Krebs (@CISAKrebs) January 3, 2020
Chad Wolf, the acting secretary of Homeland Security, said in a Friday statement: "While there are currently no specific, credible threats against our homeland, DHS continues to monitor the situation and work with our federal, state and local partners to ensure the safety of every American."
On Saturday, DHS published a National Terrorism Advisory System bulletin concerning the situation with Iran. While the notice did not mention any specific threat against the U.S., it did note that "Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States."
Preparing for Attack
Since Iran's nuclear capabilities were crippled by the Stuxnet malware attack in 2010 – apparently as a result of U.S. and Israeli action - Iran has worked to bolster its cyber capabilities. For example, the country has developed its own sophisticated malware, including Shamoon, which is suspected of damaging oil giant Saudi Aramco in 2012.
In June, CISA issued a warning concerning a so-called "wiper" attacks that render computers unusable, which is likely a reference to Shamoon. This warning was referenced in Krebs' Thursday tweet (see: DHS: Conflict With Iran Could Spur 'Wiper' Attacks).
"Iran's offensive cyber capabilities have grown significantly since the 2012 days of banking sector denial-of-service attacks and Saudi Aramco [and] Shamoon destructive malware," Rick Holland, CISO of San Francisco-based security firm Digital Shadows, tells Information Security Media Group. "The cyberspace proxy war between the U.S. and Iran isn't new and will escalate as a result of Soleimani's death. Iranian actors are known to use account takeover techniques, spear phishing and destructive wiper malware, such as Shamoon."
Tom Kellermann, the head of cybersecurity strategy at VMware, who served as a cybersecurity adviser to the Obama administration, says that a retaliatory cyber strike by Iran is almost assured.
"Winter has come. Air strikes will be met with cyber strikes," Kellermann tells ISMG. He says CISOs and other security leaders should be asking four specific questions right now:
- "Are our security controls integrated?
- Do we have visibility across all our devices?
- Do we have a cyber threat hunt team?
- Do we have an incident response firm on call?"
Sam Curry, CSO at security firm Cybereason, tells ISMG: "If you have connected systems that are responsible for kinetic world effects, like [industrial control systems] and critical infrastructure around water, energy or vital services, it's time to pay attention. Iran and the U.S. are engaged in cyber brinksmanship, which means that the gloves are off as Iran picks its targets."
While Iran's cyber capabilities are not in the same league as Russia, North Korea or China, Israeli Defense Forces Brigadier Gen. (Ret.) Ran Shahor tells ISMG that Iran and the hacking groups that work with it have shown in the past several years that they're willing to use cyber weapons against both private-sector and public-sector targets.
Shahor, who is now the CEO of HolistiCyber, adds that CISA and DHS were correct in highlighting the possible threats to facilities and critical infrastructure that use industrial control systems because Iran is likely to target these in the coming weeks and months.
"It's true of both industrial control systems and operational technology systems because these are usually older systems and less protected … they need to be reviewed as closely as possible and patched," Shahor says. "The main thing is awareness. It takes a lot to defend these systems, and the important thing is to prioritize and do what's urgent first."
The U.S. has already rolled out some cyber capabilities against Iran in the past few months. For example, in August, the New York Times reported that the U.S. launched a cyberattack against Iran in June that wiped out a critical database used by the nation's paramilitary arm to plan attacks against oil tankers (see: Sizing Up Impact of US Cyberattack Against Iran).
"We have been engaged in an ongoing cyber conflict with Iran for decades, as have many of our allies in the Middle East – in particular, Israel and Saudi Arabia," says Chris Morales, head of security analytics at the security firm Vectra. "Cyber offensive actions have been ongoing and instigated by both sides through that time period."