Iran Tensions And Cyber Terrorism: Should Your Business Be Worried?

Unless you’ve been living under a rock you’ve heard of the recent escalation in tensions between Iran and the U.S. over the killing of Iranian terror general Qasem Soleimani. In the wake of this event, Iran – a country already infamous for being one of the world’s top conductors of cyber warfare, targeting western government institutions and private enterprises alike – vowed to take revenge on the U.S. not only through direct military action but also cyber warfare/terrorism.

A large subset of the news media onslaught concerning the situation with Iran has focused on the potential of increased Iranian cyber attacks and what damage they could potentially cause. Iran is already holding true to its promises of retaliation with Tuesday’s missile attack on U.S. forces in Iraq as well as a 50% increase in cyber attacks on American government institutions and a 300% increase in global cyber attacks originating from Iranian IP addresses since the assassination of Soleimani.

Additionally, cyber attacks originating from other countries’ IP addresses have similarly increased, due almost certainly in part to Iranian actors masking their IP addresses but more concerningly due perhaps to actors from other countries taking advantage of the chaos to increase their own cyber attack operations.

While Iran is mostly known to target large American companies, institutions and mid-eastern oil giants, Iran’s cyber terrorism campaign extends to many U.S. allies (most notably Canada and the United Kingdom) due to their strong economic ties, military co-operation & integration, and cultural similarities. Smaller companies can also be likely targets for Iran if they are perceived to have valuable intellectual property in the form technology or scientific research, or if they can be used to cause disproportionately large damage to the economy or society in general. Furthermore, cyber warfare on the scale of nation-state-sponsorship is such that small firms can often be attacked indirectly.

So Should I Be Worried About My Business?

Unfortunately, this is a complicated question to answer as there are a lot of unknowns and diverse possibilities, so we’re going to lay things out as thoroughly as possible - read on.

In short, YES, the possibility exists that your business may be targeted by Iranian actors creating reasons for concern; at least until you have analyzed the risk and have valid justification not to be. So lets talk about how to pinpoint the Iranian threat to your business.

The first step in analyzing a threat from a known actor is to determine what their motivations are, and if those motivations might lead them to target your business. While this is still an important step in assessing the Iranian threat, Iran has a history of employing various sophisticated cyber attack methods, some of which are conducive to causing collateral damage or spreading indiscriminately beyond their initial target.

One of Iran’s favourite methods of attack is the use of wiperware worms which are viruses that spread automatically from system-to-system and destroy any data they can. Some of these worms even go so far as to steal the data before erasing it or destroy systems and machines themselves. Iran has developed a family of wiperware worms, the latest being dubbed the “Dustman” virus was recently used to attack Bahrain's national oil company, Babco.

Although the scale of Iran’s wiperware attacks have so far been mostly limited to individual institutions, we need only look to Russia’s 2017 cyber attack on Ukraine to understand the potential nation-wide devastation that can be caused by a single wiperware attack. Russia deployed the “NotPetya” wiperworm in 2017 against multiple Ukrainian institutions by attaching it to an update for a popular Ukrainian accounting software.

The virus quickly spread to government and private organizations across Ukraine, corrupting massive amounts of important data and disabling computer hardware. The attack was meant to cripple Ukraine but it quickly spread to other countries including the US, France, Germany, the UK, and even back to Russia. When the dust had settled, $10 billion in damages had been suffered by roughly 2000 entities affected which varied from massive international shipping conglomerates, to government agencies, to hospitals, and to small firms, many of which were put out of business.

Although Iran has yet to deploy wiperware to such devastating effect, they will most probably be looking to the NotPetya attack as an example of the kind of retaliatory attack they might seek to conduct against the U.S. and its allies.

Another common step in threat analysis is to determine the capabilities of the known actor you are defending against and if your infrastructure might be vulnerable to the types of attacks they carry out. But again, this approach alone might be insufficient here. With hostilities at an all-time high and Iran’s intention to retaliate as strongly as possible in cyberspace, it is likely that we will see them develop new strategies, viruses, and attack vectors as they have already shown they are among the quickest to adopt new strategies and levels of sophistication in their fanatical effort to cause as much destruction as possible.

The short history of cyber warfare has shown us that there is no telling when some actor will discover a great vulnerability and develop a devastatingly effective way to exploit it, i.e. there doesn’t need to be some ramp-up in capability or climbing of technological staircases for Iran to develop the most devastating cyber weapon the world has yet seen; with their renewed commitment to cyber warfare, all it might take is a bit of luck and some very clever individuals.

So although Iran has not yet been responsible for anything as effective and destructive as Russia’s NotPetya worm, the short history of cyber warfare has shown us that there is no telling when some actor will discover a great vulnerability and develop a devastatingly effective way to exploit it, i.e. there doesn’t need to be some ramp-up in capability or climbing of technological staircases for Iran to develop the most devastating cyber weapon the world has yet seen; with their renewed commitment to cyber warfare, all it might take is a bit of luck and some very clever individuals.

With all that out of the way, below are some steps you can take in analyzing the cyber threat Iran poses to your business.

Determine if Iran’s Motivations Would Lead Them to Target Your Business.

Yes, I know we just discussed why even if Iran doesn’t target your business directly you can still be directly affected by an attack. However most cyber attacks from Iran still target individual organizations. Iran’s primary motivations are retaliation, research and technological gains, and to a lesser extent, monetary gains.

Retaliation – Iran can seek retaliation through the means of indiscriminate economic terrorism by directly attacking high value economic targets or by attacking key infrastructure and systems which our society depends on, causing immense economic damage and interrupting society as a whole. These actions may even go so far as causing death, destruction, or public suffering by targeting power grids or other systems, as Iran has done in 2015 when it was discovered that Iranian hackers were laying the groundwork for an attack on the U.S. power grid, and again in 2013 when an Iranian threat actor penetrated the system which controlled a dam in New York. The hackers would have been able to release water and cause flooding if the computer controls hadn’t happened to be manually disconnected for maintenance. You must determine how much economic, physical, environmental, and other types of societal damage could be caused by stealing your data, destroying it, hijacking your network/systems, or disabling your business altogether. Some useful questions to start with are:

• How much of an economic target does our business represent on its own?

• How would our clients and their partners be affected by any of the types of attacks previously mentioned?

• What kind of damage could Iran cause with our data if they stole it?

• Aside from the effects on our clients, what other economic and societal consequences might occur if our business is crippled or destroyed?

• Could compromising or hijacking our network provide access to other targets that Iran might value?

• Do we have any assets that can be hijacked and used to cause economic or physical damage?

Research and Technological Gains – Iran has a strong history of stealing intellectual property in various scientific fields and technology. For example, between 2013-2017 a group of Iranian hackers stole academic data, intellectual property, and other proprietary data from 320 universities around the world, including many Canadian institutions. Your business is much more likely to be targeted if it conducts scientifically or technologically advanced research, develops cutting-edge technology of any kind, or if your network/systems store research data or Intellectual property relating to advanced science or technology. Research or technology with potential military application is especially sought after by Iranian hackers.

Monetary Gain – Surprisingly, there are few instances of Iranian state-sponsored hackers stealing money directly or with customer payment information through its cyber attacks, although this is the primary goal of most non-state-sponsored cyber attacks. However due to U.S. and International sanctions dealing significant damage to Iran’s economy, specifically through its oil industry, Iran has used cyber warfare several times to disrupt foreign oil competition. Although these types of attacks from Iran have been mostly focused on oil companies in the Middle East, Iran may yet expand these efforts across the Atlantic in the wake of the current rising tensions. If your business is a player in the oil industry or supports the oil industry in any manner aside from consumption, you may be a more likely target of increased Iranian cyber aggression.

Determine Degree of Vulnerability To Iran’s Known Capabilities.

On top of wiperware attacks, Iran is well-known for conducting denial-of-service (DoS/DDoS) attacks, which are a relatively simple way to shut down internet-facing systems and services. One well-known cyber weapon of Iran is the “Shamoon” wiperware worm which has been deployed multiple times by Iran, most notably to destroy 30,000 computers and their data belonging to a Saudi Arabian oil company. Shamoon is a sophisticated virus and it’s believed that it was developed in part by reverse-engineering the very advanced “Stuxnet” virus which was deployed by the U.S. and Israel to successfully damage much of Iran’s nuclear research infrastructure. It was the discovery of the Stuxnet virus in 2011 that began Iran on its rapid path to cyber warfare sophistication.

Any web-facing systems or services your business has are likely vulnerable to Iranian Denial of Service Attacks, and if you don’t currently back up your data in isolated environments you may find your business completely crippled following an Iranian wiperware attack.

One of Iran’s most potent methods is the use of Advanced Persistent Threat (APT) hacker groups. There are many known Iranian APT hacker groups and likely many that are unknown. APTs are characterized by their method of infiltrating networks undetected to collect data, cause damage that is difficult to diagnose or detect, or gain access to as many systems as possible in preparation for a sudden, devastating attack.

Detecting and preventing APT attacks is a complicated process requiring advanced cybersecurity strategies and expertise, primarily involving the use of advanced monitoring for suspicious behaviour and symptoms on the network. An APT group could be stealing your data or causing problems in your systems right now and you might not have any idea.

Iranian APTs use any tactics and procedures necessary to facilitate their mission, but some of their most common tactics include:

• Spear-phishing to target key individuals of an organization

• Exploiting public-facing remote services to be used as a stepping-stone to facilitate deeper access

• Extracting credential data from memory on Windows systems using the “Mimikatz” tool

• Installing data collection backdoors within Outlook and Exchange servers

Determine Third Party Business Dependencies.

The more interconnected your business’ network is with the Internet or other businesses, the more likely it is to become a victim of a NotPetya-style worm if Iran does develop something in that vein. More specifically, the fewer degrees of removal between your business network and a "patient zero" network, the more likely it is that the worm will spread to your network before word reaches you to disconnect and shut down your systems. Furthermore, the more reliant-on and connected-to popular third-party software you are, the more likely it is that YOUR business will become such patient zero for a malware attack attached to a software update like the NotPetya virus was.

The best way to avoid the wrath of a massive scale wiperworm attack – which Iran is likely trying to develop – is to minimize connections to third-party networks and reliance on non-essential third-party software that lacks a strong and robust security reputation. Especially avoid networks that are likely targets for Iran’s cyber attacks as well as software which is widely used by institutions Iran might target.

You should also be mindful that you are not connected to or reliant on third-party networks or software with poor or no security track record, even if they are not well-known or likely targets, because Iran might find it more effective to attach a worm to a less secure network or software product, even if it is less-connected, because the nature of a worm is such that it will be able to spread quickly even if it doesn’t initially deploy along a very broad attack surface.

In Conclusion

Note that this article on its own is not a sufficient source of information with which to protect your business from the distinct possibility that Iran will conduct an offensive cyber campaign of a scale and effect that we have not yet seen. Rather this article serves to give you an idea as to how vulnerable your business might be and where to start in determining the threat to your business in some detail at a high level.

We cannot know how serious the cyber threat from Iran might become in the wake of the current events in Iraq and the mid-east region in general. Anyone who tells you in any certain terms how potent the threat will be is foolish or dishonest, as there is no way of knowing the extent of Iran’s cyber capabilities, how far they are willing to take their cyber war with the west, how rapidly they are expanding their capabilities, or what breakthroughs or vulnerabilities they might stumble upon.

It is however entirely possible that Iran will be unable (or unwilling to commit the resources to) carry out a cyber terrorism campaign on a scale that is significantly greater than their current efforts, particularly as an attempt to de-escalate increasing internal and external tensions following the tragic demise of Flight 655.

What we do know is that Iran has vowed to increase their cyber-warfare efforts, they have already followed up on that promise by increasing the volume of their offensive cyber activity, and they are willing to take such provocative action as firing a large barrage of missiles at U.S. military bases and personnel.

Although in the hours following the missile attack in Iraq, many speculated - due to the lack of any casualties or serious damage - that Iran intentionally missed to allow their leadership save face in front of their people without escalating to an all-out war, when taking into consideration that Iranian missiles are inaccurate enough to miss their targets and certainly TOO inaccurate to target positions so close to U.S. forces with any confidence that they would not cause casualties, AND that U.S. forces were able to prepare for the attack thanks to early warning systems, it is very likely that the attack was indeed an attempt by Iran to inflict massive damage and casualties on U.S. forces. Furthermore, the seemingly accidental shooting down of the Ukrainian airliner shows that Iranian forces were very anxious that the U.S. might respond immediately. This retaliation suggests that Iranian leadership may be willing to act as if they have nothing to lose.

Even if in the coming months or years we do not see any significant and effective cyber assault by Iran, that is not a sufficiently good reason to discount the threat completely, as cyber weapons can take a long time to develop and the possibility of an Advanced Persistent Threat - that is, Iran could even be setting the stage by silently infiltrating and compromising networks and systems, waiting until they have control over enough systems and infrastructure to launch a sudden, massive, and sophisticated attack - is always there.

We may not be able to accurately measure the threat Iran currently poses, or even calculate the probability of any kind of attack or damage that Iran might inflict, but we do know that one of the most brazenly-hostile nations (which has grown its cyber capabilities more rapidly than any other country and has a track-record of consistent cyber attacks on western nations) is now more determined than ever to inflict massive repercussions to the extent that it risks all-out war with the most powerful military on earth. I would say that’s reason enough to consider some extra precautions.

Ethan Duggan

Consultant, Cyber Risk