If you have been watching the news recently, you probably are well aware about the conflict in Iran. This is a good reminder for both government agencies and companies. Why? Well, it’s not about war in the traditional sense. Instead, it’s war with hackers, cybercriminals and webmobs.
CISA, the Cybersecurity and Infrastructure Security Agency, recently released some information about protecting the nation’s cyber infrastructure due to the tension between the U.S. and the Islamic Republic of Iran.
There is a history with Iran and cyberattacks, and most recently, the county has used some pretty sophisticated methods to suppress political and social ideas, which it finds dangerous, while also using them to harm countries that it deems as “enemies.”
On top of this, Iranian cybercriminals have actually improved the way they are doing things, and they are continuing to engage in activities like defacing websites, sending out DDoS attacks, and stealing personal information, such as addresses, account numbers and more. These crooks have also shown that they are willing to push some boundaries, and even use very destructive malware and other attacks.
The U.S. is gearing up for this, though, and a number of federal and private sector intelligence organizations have been able to identify that this is happening, and they know that the IRGC, or Islamic Revolutionary Guard Corps, are behind these state-sponsored attacks.
Here’s an example. The U.S. recently assassinated Qasem Soleimani, the Iranian general, and there was a retaliatory missile strike, which followed. People who know Iran well have issued warnings that the country might not even be that serious about these missile attacks…instead, they could be planning something much bigger, such as a cyberattack on critical U.S. infrastructure, such as the electric grid. The good news is this: it is believed that Iranian hackers don’t have the capability to cause any blackouts in the U.S., but there is concerning news, too. They have been working to get access to American utility companies, which could cause some big issues.
Researchers have recently found that the hacker group, “Magnallium,” who had previously been linked to Iran, was also targeting U.S. electric providers in addition to both oil and natural gas companies. On top of that, they are trying to gain access to these companies by looking for and then trying to exploit the vulnerabilities in the VPN software. There are also reports that hackers from Iran have breached the U.S. electric companies before, which has laid the groundwork to do it again.
The above isn’t the only example of this. Greg Abbott, the governor of Texas, has warned his constituents that they should be “particularly vigilant” regarding cyberterrorism from Iran. This suggests that there has also been an increased attempt from Iran to attack state agencies. It seems as if Gov. Abbott and the Texas Department of Information Resources have reported that there have been as many as 10,000 attempted attacks from Iran each minute.
Iran has made some other recent attacks, even though they haven’t been that serious. For instance, the homepage for the U.S. Federal Depository Library Program was hacked to show a picture of President Trump, bloodied, with a pro-Iranian message. The page also showed the message: “Hacked by Iran Cyber Security Group Hackers. This is only small part of Iran’s cyber ability! We’re always ready.” After the image was first seen on the page, the website became inaccessible.
What Can We Do?
There are some recommended actions that IT professionals and providers can do to reduce the chances that attacks are eminent. There are certainly other things we can do in addition to the following, but these will likely bring the best results. These include:
- Disabling any unnecessary protocols and ports – Take some time to review your organizations network security device logs. Try to decide whether to shut off or leave on any ports or protocols that are unnecessary. Monitor any common protocols and ports for activity.
- Limit and log usage of PowerShell – You should also limit the usage of PowerShell to only people and accounts that really need it. Also, enable the code signing of scripts and make sure logging is enabled for all PowerShell commands.
- Enhance monitoring of email and network traffic – Also review network signatures for operations activities and adjust any email rules as needed. Also, monitor for any new phishing themes and follow best practices for restricting the use of attachments via email.
- Ensure All Backups are Current – All of your backups should be up to date and stored in a location where you can easily retrieve them, when necessary.
- Patch any externally facing equipment – Patch equipment that has high vulnerability for remote code execution.