Security and Resilience (Cyber and Physical)

U.S. warns of growing Iranian cyber threat using destructive attacks

Against the backdrop of heightened tensions with Iran, the U.S. government said it is aware of a recent rise in malicious cyber activity directed at U.S. industries and government agencies by Iranian regime actors and proxies who are increasingly using destructive cyberattacks such as spear phishing.

Tensions between the U.S. and Iran have flared in the wake of two incidents in June.

First, earlier this month, two oil tankers were attacked near the Strait of Hormuz. The U.S. government has linked Iran to these attacks.

More recently, Iran on June 19 reported that it had downed a U.S. drone. President Trump set the wheels in motion for military action in response to the downing of the drone but subsequently called off the operation.

In response to reports of an increase in cybersecurity threats, Christopher Krebs, the head of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), on June 22 issued a statement in which he said that CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.

“We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe,” Krebs said.

He said that Iranian regime actors and proxies are increasingly using destructive “wiper” attacks, “looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing.”

What might start as an account compromise, “where you think you might just lose data, can quickly become a situation where you've lost your whole network,” Krebs said in the statement.

 "In times like these it's important to make sure you've shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident - take it seriously and act quickly,” the CISA Director said.

Krebs said that anyone who has relevant information or suspects a compromise should immediately send an email to DHS at: [email protected].

“Public power utilities should remain vigilant in protecting their cyber networks from these types of attacks,” said Nathan Mitchell, Senior Director of Cyber and Physical Security Services at the American Public Power Association.

“Now is a good time for utilities to review their cybersecurity defenses to ensure that they are robust and ready to effectively counter cyber threats,” he said. “Simple steps like multifactor authentication, routinely creating backups of your data, monitoring network traffic and sharing cyber incidents with federal and industry partners will help reduce the risk of cyber attacks being successful.”

Along with communicating with DHS, Mitchell encouraged Association member utilities to be aware of the Electricity Information Sharing and Analysis Center (E-ISAC) and the resources it offers.

The E-ISAC routinely monitors all threats to the grid and provides alerts to industry as needed when new or continuing threats emerge.

E-ISAC is a division of the North American Electric Reliability Corporation (NERC). However, all utilities can sign up for notifications from E-ISAC; they do not have to be registered with NERC.

The Association encourages its member utilities to sign up for the E-ISAC's portal to get alerts and resources to monitor and manage cyber threats.

Please visit the following links on the E-ISAC portal for additional information:

Reports say U.S. engaged in cyberattacks on Iran

Several media outlets reported in recent days that the U.S. government launched a cyberattack against Iran on the same day that President Trump cancelled military action against the country.

“The cyberattacks — a contingency plan developed over weeks amid escalating tensions — disabled Iranian computer systems that controlled its rocket and missile launchers,” the AP reported, citing U.S. officials. “Two of the officials said the attacks, which specifically targeted Iran’s Islamic Revolutionary Guard Corps computer system, were provided as options after Iranian forces blew up two oil tankers earlier this month,” the AP story said.

The Washington Post reported that President Trump signed off on the cyberattacks, which were done by  personnel with U.S. Cyber Command.

“United States Cyber Command on Thursday conducted online attacks against an Iranian intelligence group that American officials believe helped plan the attacks against oil tankers in recent weeks, according to people briefed on the operation,” the New York Times reported.

The action by U.S. Cyber Command “was a demonstration of the U.S.’s increasingly mature cyber military capabilities and its more aggressive cyber strategy under the Trump administration,” the AP reported.  “Over the last year U.S. officials have focused on persistently engaging with adversaries in cyberspace and undertaking more offensive operations.”

The AP report said that “hackers believed to be working for the Iranian government have targeted U.S. government agencies, as well as sectors of the economy, including finance, oil and gas, sending waves of spear-phishing emails, according to representatives of cybersecurity companies CrowdStrike and FireEye, which regularly track such activity.”

The new campaign “appears to have started shortly after the Trump administration imposed sanctions on the Iranian petrochemical sector this month,” the AP reported, noting that it was unclear if any of the hackers were able to get access to the targeted networks with the emails.

The National Security Agency told the AP on Friday that “there have been serious issues with malicious Iranian cyber actions in the past.” The NSA told the AP that “In these times of heightened tensions, it is appropriate for everyone to be alert to signs of Iranian aggression in cyberspace and ensure appropriate defenses are in place.”

Islamic Revolutionary Guard Corps designated a foreign terrorist organization

In April, The Trump Administration said that it was designating the Islamic Revolutionary Guard Corps as a foreign terrorist organization “to counter Iran’s global campaign of terrorism.”

Open source reports include the following attacks and campaigns attributed to Iran:

  • Shamoon: Destructive malware targeting Saudi Arabia oil/petrochemical sector and companies associated with it. First seen 2012, then again in 2016, and most recently in December 2018.
  • Operation Cleaver: Report released in 2014, stating the targeting of many countries and sectors, including U.S. energy and electric utilities.

June 25 webinar

Cyber threat intelligence firm Dragos will hold a webinar on “Rising Cyber Escalation Between US, Iran, and Russia: ICS Threats and Response” on June 25.

Additional information on the webinar is available here.