On April 14th, Iran launched hundreds of drones and missiles against Israel in retaliation for Israel’s bombing of the Iranian consulate in Damascus which resulted in 12 dead, including the head of Iran’s Islamic Revolutionary Guard Corps - Quds Force (IRGC-QF) Lebanon Corps. While nearly 99% of the drones and missiles were neutralized, Israel has since conducted a response, raising concerns the conflict may continue to grow. These kinetic actions represent an escalation in a long-standing conflict, much of which has played out via proxies and in both the physical and cyber realms. Iran has been affiliated with a wide range of cyber attacks, including website defacements and distributed denial of service (DDoS) attacks. Given the current period of increased geopolitical tensions, it is a good time to revisit Iran and its affiliates’ cyber capabilities and targeting so that companies can be prepared in the event the conflict should spread.
Iran as a Top-Tier Cyber Threat Actor
Iran has significantly advanced its cyber capabilities over the last decade and a half and is now generally considered among the top five most capable countries for cyber operations. These operations included destructive malware, ransomware, and DDoS attacks; cyberespionage; and operations against US critical infrastructure. Iran’s Islamic Revolutionary Guard Corps (IRGC) and Ministry of Intelligence and Security (MOIS) are responsible for the country’s cyber operations, with specific advanced persistent threat (APT) groups assessed to align to each organization. For example, APT 33 (aka Refined Kitten) and APT 35 (aka Charming Kitten) are associated with IRGC, while APT 34 (aka Oil Rig, Helix Kitten) and APT 39 (aka Chafer) are associated with MOIS. However, in general these subdivisions are less important as tactics or targets aligned with each of these APTs can shift rapidly.
These government organizations also work in close partnership with national technical universities, private companies (some of which are simply fronts for government activity), and patriotic hacktivists. While many Iranian cyber activities are related to espionage or financial gain (e.g., ransomware attacks) and represent a persistent threat, geopolitical tensions have previously served as a trigger for increased overt operations against the Western entities in the form of DDoS attacks, destructive malware, and website defacements. Previous examples of high-profile Iranian attacks in response to heightened geopolitical tensions include:
- 2012-2013 DDoS Attacks Against US Banks: Following the imposition of economic sanctions against the country, Iran launched a long-term campaign of successful DDoS attacks against the US financial services industry.
- 2013 Illicit Access to Supervisory Control and Data Acquisition Systems of a New York Dam: An Iranian individual working for a private company on behalf of the IRGC accessed the information systems of the Bowman Dam in Rye, NY.
- 2014 Destructive Malware Attack Against the Sands Casino: Following anti-Iran statements by the Casino’s owner, Iran launched a destructive malware attack against the Sands casino, in which the threat actors infiltrated the network, stole sensitive data, and wiped the majority of the casino’s servers.
Patriotic Hacktivists Expand Range of Threat
In addition to these larger cyber operations, individuals inspired to conduct low-level cyber operations on behalf of Iran also present a threat during heightened geopolitical tensions, though the scale of their operation is somewhat smaller. These patriotic hacktivists, as they are called, often target vulnerable websites and organizations for website defacements in an effort to draw attention to their cause and embarrass their targets. For example, following a US missile strike in January 2020 that resulted in the death of then-IRGC-QF commander General Qassam Soleimani, these hacktivists went after any vulnerable website they could find, frequently replacing the site with pro-Iranian and anti-American imagery and messages.iv While these attacks may not be highly impactful, they do present a reputational risk to victims.
Geopolitical Flare-Ups Are a Good Time to Check Your Security
While the severity of the threat from Iran-affiliated threat actors can vary widely, the tactics used to gain initial access to a victim’s systems are the same. These largely revolve around vulnerability exploitation, phishing and spearphishing, and credential stuffing. While the current tensions may not escalate into active targeting of the US private sector, given that these threat actors have a history of using compromised credentials to get into networks, now is a good time to ensure you and/or your organization are using complex, unique passwords for every account. For more information on steps you can take to protect your networks against Iranian cyber threat actors, check out this overview from the US Cybersecurity and Infrastructure Security Agency.
