There is no doubt the Iranian Islamic Revolutionary Army Corps (IRGC) cyber capabilities are substantial. Their successes in penetrating western networks are evidenced by the numerous indictments and warnings provided by the U.S. government, as well as those of their allies over the past few years. We noted this in our own piece regarding the threats to facilities, personnel and information systems, alerting Facility Security Officers to Iran’s possible deleterious actions.
On January 6, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) followed up on their director’s admonishment sent via a tweet and issued an alert to U.S. organizations concerning the likelihood of cyber attacks sponsored by Iran.
The Alert – AA20-006A – recommended the following actions be taken by all organizations.
- Adopt a state of heightened awareness
- Increase organizational vigilance
- Confirm reporting processes
- Exercise organizational incident response plans
- Disable all unnecessary ports and protocols
- Enhance monitoring of network and email traffic
- Patch externally facing equipment
- Log and limit usage of PowerShell
- Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network
The alert highlights four specific actions which targeted U.S. entities which have been attributed to Iran.
- DDOS targeting of the U.S. financial sector in March 2013. This led to the indictment of seven IRGC personnel.
- Unauthorized access to the SCADA network of a dam in New York which occurred in 2013.
- Hacking of the Sands Hotel and Casino in Las Vegas in February 2014. The Sands lost customer PII and found that portions of their information technology infrastructure was electronically destroyed.
- Four-year harvesting effort targeting U.S. universities and government entities, from 2013-2017. This activity led to the indictment of nine Iranians. The targeted entities included “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”
FSOs need to ensure their constituents are fully briefed on the potential for Iranian (and other actors perhaps masquerading as Iranian) efforts to penetrate their IT infrastructure. While the aforementioned tips and examples provide the grist to provide timely awareness training. The FSO’s need to ensure personnel take these same precautions on their personal devices and online engagement as they do on their company or government networks, especially in this era of “bring your own device.”
Social Networks and RUMINT
Furthermore, personnel should be reminded that social networks often operate as a mechanism to provide a sound boost to both accurate information and purposeful misinformation.
The most recent example is the flurry of fake text messages which advise the recipient they have been drafted and are being deployed. While the genesis of the text messages is not new, the fact that the U.S. Army issued a denial is demonstrative of the how fast rumors fly. FYI, the draft hasn’t been active since 1973, and any such notification would come via U.S. snail mail and not a text message. Selective Service registration continues to be a requirement for U.S. citizen adult males 18 and older.
The U.S. Army has issued a fraud warning after fake text messages ordering young people to report for a military draft circulated around the country. The draft has not been in effect since 1973. https://t.co/gXncgOp8sh
— The New York Times (@nytimes) January 8, 2020
The Iranian cyber threat has always been present and can be expected to ignore the off-ramp taken in the kinetic engagement and accelerate. The Saudi National Cybersecurity Authority noted that on December 29 Iran may have been behind the disk wiper attack which reached out and touched Bahrain’s national oil company, Bapco. Why this is important to U.S. entities is it demonstrates the desire to destroy data, and emphasizes the need to back everything up, and always have a cold backup available.
Over the past five years the number of misconfigured data sets using vendor cloud storage environments has led to a number of security breaches of both sensitive information, as well as PII of employees and clients. Those within your entity who are tasked with maintaining data stores, be it internal or in a shared environment, should be urged to review the configurations and access controls.
Additionally, the Iranians can be expected to utilize their entire quiver of arrows with respect to engaging the individual target via the internet. Remember, they are being assisted by U.S. defector Monica Witt who can provide nuanced content and context to make their engagement via social networks plausible and believable.