After the Obama administration increased sanctions on Iran in 2011 and the release of a perceived offensive video on YouTube, Iranian actors responded, launching distributed denial of service attacks against dozens of U.S. financial institutions, known as Operation Ababil. Today, relations between the two countries are further deteriorating and cyber attacks are ramping up and leaders of both countries engage in a war of words and threats.
Now, more than ever, the U.S. needs to be on guard. This escalation poses great risks to U.S. infrastructure, which could be caught in the crosshairs as Iranian actors retaliate in cyberspace. Federal agencies and critical industries such as aerospace, defense, financial services and energy need to be vigilant and take extra precautions to protect their computer networks from cyberattacks.
My researchers and I have been monitoring Iranian sponsored campaigns and recently observed an increase in activity. A group known as Advanced Persistent Threat (APT) 33, believed to be working for the Iranian government, has been stepping up its game. We have evidence that APT33 has recently targeted Saudi and American companies in engineering, defense, aerospace, finance and healthcare companies. Meanwhile, someone has been releasing hacking tools on the internet used by another group with ties to Iran, known as APT34.
Both in the real world economy and in cyberspace Iran is getting squeezed, and we’ve seen in the past that when Iran feels threatened their hackers launch cyberattacks. Iran is widely believed to be responsible for one of the most destructive cyberattacks ever — large-scale data sabotage targeting the Saudi Aramco oil company in 2012. Additionally, two weeks after Sands Hotel owner Sheldon Adelson recommended bombing Iran to force it to abandon its nuclear program in 2014, the casino was hit by malware that wiped data from desktops and servers across its network.
What to be on the look out for from cyber attackers
First, everyone in the public sector needs to be careful to avoid being phished. Email recipients should take extra seconds when reading email to look for anomalies in the prose or email address of familiar contacts. If there is an anomaly (i.e. correctly spelled name, but the domain belongs to a web mail service), forward the email to an internal security group, and avoid opening associated attachments or clicking on links. IT administrators need to understand what the latest phishing trends are and educate their users so they can better recognize suspicious emails. Internal IT security professionals should review even blocked emails to learn from attacker social engineering and technical methodologies, to then improve defensive security controls.
Given how common password reuse is and how easy it is for attackers to use automated tools to test stolen passwords (known as credential stuffing), security teams need to encourage best practices within IAM (identity and access management), like using multi-factor authentication, unique passwords for every service, and a mobile password manager to store the resulting credentials.
Additionally, all access to systems that control elevated network privileges like Active Directory (AD) Domain Controllers (DC) must be closely monitored and guarded via multi-factor authentication. Implementing a “jump box” (one proxy server is whitelisted for DC access, and all administrators must access the proxy server to subsequently authenticate to the DC) for authentication to sensitive systems like DCs may not be convenient for administrators, but it does create a central choke point for logging and monitoring sensitive access.
Further, system administrators need to continuously be on the lookout for malicious code in their systems. This means having staff actively looking/hunting for web shells, which are tools that are difficult to detect and enable initial unauthorized access to web servers so attackers can upload offensive tools, steal data, and further explore a victim network for vulnerable systems. IT administrators don’t always know whether a file should be on a web server or not, because by nature web server content is dynamic, so detecting web shells is not trivial, and web application firewalls (WAF) rarely help as they are intended for detecting specific exploit attempts against specific web application vulnerabilities. Adversary placed web shells have been found on numerous “.gov” web addresses around the world.
Another common and popular attacker methodology to compromise sensitive targets is by first identifying and compromising partners, vendors and suppliers. To protect against this third-party risk, system administrators should regularly audit third-party network access, which typically occurs via API, and changes to third-party risk profiles via continuous threat intelligence.
Categories to monitor for third parties include credential exposures, targeting on criminal forums, technology stack vulnerabilities, typo-squats and detected malware. It’s particularly important for federal agencies to monitor contractor access and their compliance with information security best practices.
We don’t know exactly how Iranian actors will respond to the Trump administration’s most recent actions, but given the reactionary cyberattacks of past years we can’t rule out attacks this time. Federal agencies and employees should be on guard and prepared for the worst.
Levi Gundert is the vice president of intelligence and risk at Recorded Future.