In 1970, Motown’s Edwin Starr released a song called War which hit number one on the Billboard Hot 100 chart. “War! Huh! Yeah! What is it good for? Absolutely nothing!” The song was a reaction to the Vietnam War and all of the young American men who were drafted to engage in a conflict that was ultimately pointless and bloody. It’s now about fifty years later, and President Donald Trump ordered a drone to assassinate Iranian military leader Qassem Suleimani. This act will undoubtedly deeply worsen tensions between the United States and Iran, if not trigger another all out conventional war.
First, let me get my own opinions about this highly controversial matter out of the way. After being raised by a British military father and thinking maybe sometimes war is good, my political views have greatly evolved and now I’m certain war is definitely bad, whether it is conventional, cyber, or both. That being said, cyberwarfare has been going on between the United States, Israel, and Iran for quite some time now, and this escalated conflict will only make it even more intense. Businesses and enterprises of all sizes should be aware of what’s going on and they have every right to defend their networks from Iranian cyberwarfare. So, let’s talk about that, shall we?
I’ve been following this matter closely for quite some time, ever since Stuxnet. For the uninitiated, Stuxnet was highly specialized malware that was most likely developed by the American and Israeli militaries to harm Iranian nuclear power facilities, mainly the Bushehr Nuclear Power Plant and Natanz’s nuclear facility. The worm may have been in development as early as 2005, and it was designed to exploit vulnerabilities in Windows-based programmable logic controllers in Siemens SCADAs. Western security researchers first discovered Stuxnet in 2010, and it was very difficult to understand because it was written in deliberately obfuscated code that didn’t clearly belong to any particular programming language. To this day no country has directly admitted responsibility for Stuxnet, but the popular belief that it was developed by the United States and Israel is most likely.
One alarming element of Stuxnet, especially for those of us who are concerned with machine identity protection, is that its creators signed the malicious code using the private keys of valid digital certificates of well-known companies. As we increase our alert levels for cyberwarfare, it’s more important than ever that we know where all of our machine identities are located and exactly who’s using them.
Weird as Stuxnet was, its impact illustrated something that I believe is true of all cyberwarfare acts. However targeted an act of cyberwarfare may be, there will always be collateral damage, no matter what. According to security researchers, only about 59% of Stuxnet infections were actually in Iran. About 18% were in Indonesia, 8% in India, 2.5% in Azerbaijan, and 1.5% in the United States. That’s “friendly fire,” eh? So even if your business is far from Iran or the United States, Iranian cyberwarfare should be everyone’s concern.
We might be shocked by Qassem Suleimani’s death, even if we didn’t know who he was beforehand. But we really should have seen this coming. When Barack Obama was still President, the Joint Comprehensive Plan of Action, colloquially known as the Iran nuclear deal, was signed by the United States, Germany, the European Union, China, France, Russia, the United Kingdom, and Iran on July 14th, 2015. As the BBC described it:
“It came after years of tension over Iran's alleged efforts to develop a nuclear weapon. Iran insisted that its nuclear programme was entirely peaceful, but the international community did not believe that.
Under the accord, Iran agreed to limit its sensitive nuclear activities and allow in international inspectors in return for the lifting of crippling economic sanctions.”
But in May 2018, Trump abandoned the Iran nuclear deal. And by November of the same year, Trump reinstated sanctions against Iran and all states that would possibly do trade with Iran. I’m surprised that the United States didn’t engage in more drone strikes on Iran in 2019, quite frankly. But it’s all bad. It’s all very, very bad. Iran is pretty much surrounded by American military facilities in all directions. I think the only American lives that could be at risk are those deployed in Iran. But all Iranian civilians are in mortal danger. And my own country, Canada, just advised all Canadians to leave Iran immediately.
Iran’s best hopes for retaliation are clearly in the cyberwarfare realm. And it’s already started. CBS News reported this act of vandalism on January 4th:
“The homepage for the U.S. Federal Depository Library Program was briefly altered Saturday evening to show a pro-Iranian message and an image of bloodied Donald Trump being punched in the face.
A line at the bottom read: ‘Hacked by Iran Cyber Security Group Hackers. This is only small part of Iran's cyber ability! We're always ready.’
The website was not accessible soon after the image appeared.
CBS News could not confirm who was responsible. Several experts who track cyber activity were not aware of a group called Iran Cyber Security Group Hackers, and its affiliation with Iran could not be confirmed.
It was not clear that hackers penetrated past the homepage. The damage from the act would be relatively small—more symbolic than destructive.”
The Cybersecurity and Infrastructure Security Agency is certainly concerned about worsening Iranian cyberwarfare. These are their recommendations for organizations in general:
“Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below).
Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.”
So as Iranian cyberwarfare is only going to get worse from here, what are some of the groups that are involved that we should look out for?
Iran’s APT34 is focused on cyber espionage, and researchers believe the group has existed since at least 2014. They’re largely considered to be responsible for the OilRig malware campaign that focused on financial institutions and technology organizations within Saudi Arabia from 2015 onwards. They’ve also targeted Turkey in a spear phishing campaign. The United States may be next, possibly with different malware altogether. But organizations around the world should be concerned.
Another Iranian APT that may be linked to the Chafer APT targeted foreign diplomats within Iran in 2018 and 2019.
Chances are there are Iranian APTs we don’t even know much about yet.
But we must proceed with caution. In October 2019, it was discovered that the Russian Turla APT pretended to be Iranian. Security researchers were fooled for a while until a two-year investigation by the UK’s National Cyber Security Centre and the US’ National Security Agency proved otherwise.
But cyberwarfare, no matter where it comes from, puts us all at risk. Security harden your networks and increase your vigilance in protecting your machine identities!