Is the Trump administration expecting a cyber war in the conflict with Iran?

New York, January 9, 2020

This suspicion is aroused by a letter sent yesterday by the Cybersecurity and Infrastructural Security Agency (CISA) to the country’s authorities.

CISA was established on November 16, 2018, when President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018. CISA is an independent U.S. federal agency that is an operational component under the supervision of the Department of Homeland Security (DHS). Its activities are a continuation of the National Directorate of Protection and Programs (NPPD). CISA’s primary mission is to enhance cybersecurity at all levels of government, coordinate cybersecurity programs with states, and improve government cybersecurity protection against private and state hackers.

The guidance, which is apparently not aimed at professionals but at the „cybersecurity community,“ indicates that the following actions must be taken or initiated:

A state of heightened vigilance should be maintained. This means: full availability of the responsible personnel as well as continuous use of relevant threat information. Ensure that key internal security functions are monitored and abnormal behaviour is detected. Report all Iranian indicators of compromise and tactics, techniques and procedures (TTPs), so that immediate action can be taken. Ensure „that personnel know how and when to report an incident. The well-being of a company’s workforce and Internet infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to serve as part of CISA’s early warning system.

This is followed by a request to implement organizational contingency plans. Ensure that „employees are familiar with the key steps they must take during an incident. Do they have the access they need? Do they know the processes? Do they log the various data sources as expected? Ensure that staff are able to act in a calm and consistent manner“.

Regarding the Iranian cyber-threat profile, the following information is provided:

„Iran has always used asymmetric tactics to pursue national interests beyond its conventional capabilities. More recently, the use of offensive cyber-operations is an extension of this doctrine. Iran has used its increasingly sophisticated capabilities to suppress both social and political perspectives that are dangerous for Iran and to harm regional and international opponents“.

It is not concealed that the „Iranian cyber-threat actors …have continuously improved their offensive cyber capabilities“. They would continue to engage in more „conventional“ activities. These include website defacement, distributed denial of service (DDoS) attacks and theft of personal information (PII). However, they would also use destructive wiper malware and possibly cyber kinetic attacks.

Of course, the US secret services and various private intelligence organisations have long since identified the driving force behind these cyber attacks: the Islamic Revolutionary Guard Corps (IRGC).

According to open source information, offensive cyber operations targeting a variety of industries and organizations – including financial services, energy, government buildings, chemicals, healthcare, critical manufacturing, communications, and the defense industrial base – have been attributed to the Iranian government. The same reporting has linked Iranian actors to a number of high-profile attacks, including

End of 2011 to mid-2013 – DDoS attacks on the US financial sector: In response to this activity, in March 2016 the US Department of Justice indicted seven Iranian actors employed by companies that carried out DDoS attacks mainly against the public on behalf of the IRGC. The attacks prevented customers from accessing their accounts and cost the banks millions of dollars to clean up.

August / September 2013 – Unauthorized access to the dam in the US state of New York. In response, in March 2016, the U.S. Department of Justice filed charges against an Iranian actor hired by a company working on behalf of the IRGC for illegal access to supervisory control and data collection (SCADA). His target: systems at the Bowman Dam in Rye, New York. The access enabled the actor to obtain information on the status and operation of the dam.

February 2014 – Sands Las Vegas Corporation hacked: Cyber-threat actors hacked into the Sands Las Vegas Corporation in Las Vegas, Nevada and stole customer data, including credit card information, social security numbers and driver’s license numbers. According to a December 2014 article by Bloomberg, the attack also involved a destructive part that erased the Sands Las Vegas Corporation’s computer systems. In September 2015, the director of U.S. intelligence identified the Iranian government as the perpetrator of the attack in a statement for recording to the House of Representatives‘ standing select committee on intelligence.

2013 to 2017 – Cyber theft campaign in favor of the IRGC: In response, in March 2018, the U.S. Department of Justice filed charges against nine Iranian actors working with the Mabna Institute for conducting a massive cyber theft campaign with dozens of individual incidents, including „many on behalf“ of the IRGC. „The thefts were directed at academic and intellectual property rights data and email access data. According to the indictment, the campaign targeted „144 U.S. universities, 176 universities in 21 countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund. “[4]

In general, CISA recommends two approaches to the potential threat posed by Iranian actors: 1) mitigation and 2) incident preparation.

1) Disable all unneeded ports and protocols. Check the protocols of network security devices and determine whether to disable unneeded ports and protocols. Monitor common ports and protocols for command and control activity.

2. improve monitoring of network and email traffic. Review network signatures and indicators for targeted operational activity, monitor for new phishing issues and adjust email rules accordingly, and follow best practices for restricting attachments via email or other mechanisms.

3. remediate outbound devices. Focus on patching critical and serious vulnerabilities that allow remote code execution or denial of service on external devices.

4. log and limit the use of PowerShell. Limit PowerShell use to users and accounts that need it, enable code signing for PowerShell scripts, and enable logging of all PowerShell commands.

Make sure that backups are up-to-date and stored in an easily accessible location that is separate from the corporate network.