Businesses operating in Western countries across all industries, especially the energy sector, should be on alert this new year for cyberattacks by Iran state-sponsored groups and/or pro-Iran factions. The Iranians and their allies may seek to respond to the killing of Major General Qassem Soleimani on January 3, 2020 with asymmetric attacks, leveraging surrogates, as they have consistently done so over decades, but there is also the possibility of more direct retaliation such as the missile attacks conducted on January 7, 2020 that targeted two Iraqi bases housing U.S. forces. In the near term, regional allies of the U.S. and international assets, such as shipping through the Straits of Hormuz, are likely targets.
Corporate interests could also be targeted, especially those with a high profile or assets of a high symbolic value, or those with activities seen as being aligned with the U.S. government, Israel or the Sunni Gulf states. The Iranians should be expected to favor cyberattacks, and Kroll recommends an immediate review to strengthen cyber posture in five critical areas:
- Activate or accelerate a vulnerability management program that includes security patches and penetration testing
- Deploy endpoint monitoring throughout as many systems as possible
- Expedite implementation of multifactor authentication (MFA) across all sensitive systems (email, financial, HR, etc.)
- Implement a disaster recovery and business continuity program that includes redundant offline backups (and test it)
- Source and validate threat intelligence expertise to provide broader insight into specific regional and industry actors
Additionally, organizations are strongly encouraged to assess existing measures related to people and facilities, including:
- Review your facilities’ physical security posture and determine what measures need to be enhanced
- Assess current and future employee travel within the Middle East, Africa and other regions that might be impacted
- Ask your employees to remain vigilant for individuals soliciting information about your company or personnel (in person, on the phone or online)
Iranian state-sponsored and affiliated actors are increasingly using ransomware, such as SamSam, as an attack vector. While many insurance policies have provisions to reimburse ransom payments should organizations decide to proceed in such a manner, organizations should note: Beyond a number of policy exclusions for incidents considered to be acts of war, it is illegal to make these kinds of payments to countries sanctioned by regulatory agencies like the Office of Foreign Assets Control (OFAC) in the US, or the Office of Financial Sanctions Implementation in the UK.
While some law enforcement agencies like the FBI have softened their stance on ransomware payments, sanction violations can lead to civil and criminal penalties in the seven-figure range. It’s imperative that organizations consider the ramifications of a cyberattack by actors in sanctioned countries and adjust incident response plans accordingly.
U.S. government action around 2012-2013 (similar to the recent U.S. military drone mission) resulted in a variety of Iran state-sponsored cyberattacks against American businesses and those of its allies, including distributed denial of service attacks that caused login pages to crash. Kroll threat intelligence, as well as open- and closed-source reporting, noted years-long Iranian campaigns to steal intellectual property from higher education institutions, particularly from researchers focusing on biological/biotechnology, chemical, defense, industrial, space and nuclear advancements. U.S. intelligence also confirmed Iranian operatives planted malware on industrial facilities, including dams. In 2016, the U.S. Department of Justice indicted seven people affiliated with the Islamic Revolutionary Guard Corps for “conducting a coordinated campaign of cyberattacks” against U.S. enterprises in the finance and energy sectors.
Speculation is growing that Iran and pro-Iran groups will shift the focus of some cyberattacks to industrial control systems used by power grids, manufacturing and oil refineries to create a widespread crisis. According to Forbes, “many of these systems are prime targets for several reasons, the main being they are generally old and poorly patched and managed. They were never meant to be connected to the internet and patchwork connectivity schema were designed before cyber threats were significant.”
According to open-source reporting in late 2019, the notorious Iranian hacking group APT33 (also known as Holmium, Refined Kitten or Elfin) was already eyeing critical infrastructure for attack. Signs of the shift in focus toward the infrastructure sector include a purportedly much smaller target group in 2019 than in previous years (2,000 versus tens of thousands, respectively), plus “half the top 25 [targets] were manufacturers, suppliers or maintainers of industrial control system equipment.” Reports from 2018 also indicated APT33 was likely behind refinements in the Shamoon malware, which was used against oil companies in the Middle East and Europe.
If you have questions or concerns or would like to schedule a consultation to assess where critical vulnerabilities might exist in your cyber environment, speak with a Kroll expert today.