Mon, Jan 13, 2020
Businesses operating in Western countries across all industries, especially the energy sector, should be on alert this new year for cyberattacks by Iran state-sponsored groups and/or pro-Iran factions. The Iranians and their allies may seek to respond to the killing of Major General Qassem Soleimani on January 3, 2020 with asymmetric attacks, leveraging surrogates, as they have consistently done so over decades, but there is also the possibility of more direct retaliation such as the missile attacks conducted on January 7, 2020 that targeted two Iraqi bases housing U.S. forces. In the near term, regional allies of the U.S. and international assets, such as shipping through the Straits of Hormuz, are likely targets.
Corporate interests could also be targeted, especially those with a high profile or assets of a high symbolic value, or those with activities seen as being aligned with the U.S. government, Israel or the Sunni Gulf states. The Iranians should be expected to favor cyberattacks, and Kroll recommends an immediate review to strengthen cyber posture in five critical areas:
Additionally, organizations are strongly encouraged to assess existing measures related to people and facilities, including:
Iranian state-sponsored and affiliated actors are increasingly using ransomware, such as SamSam, as an attack vector. While many insurance policies have provisions to reimburse ransom payments should organizations decide to proceed in such a manner, organizations should note: Beyond a number of policy exclusions for incidents considered to be acts of war, it is illegal to make these kinds of payments to countries sanctioned by regulatory agencies like the Office of Foreign Assets Control (OFAC) in the US, or the Office of Financial Sanctions Implementation in the UK.
While some law enforcement agencies like the FBI have softened their stance on ransomware payments, sanction violations can lead to civil and criminal penalties in the seven-figure range. It’s imperative that organizations consider the ramifications of a cyberattack by actors in sanctioned countries and adjust incident response plans accordingly.
U.S. government action around 2012-2013 (similar to the recent U.S. military drone mission) resulted in a variety of Iran state-sponsored cyberattacks against American businesses and those of its allies, including distributed denial of service attacks that caused login pages to crash. Kroll threat intelligence, as well as open- and closed-source reporting, noted years-long Iranian campaigns to steal intellectual property from higher education institutions, particularly from researchers focusing on biological/biotechnology, chemical, defense, industrial, space and nuclear advancements. U.S. intelligence also confirmed Iranian operatives planted malware on industrial facilities, including dams. In 2016, the U.S. Department of Justice indicted seven people affiliated with the Islamic Revolutionary Guard Corps for “conducting a coordinated campaign of cyberattacks” against U.S. enterprises in the finance and energy sectors.
Speculation is growing that Iran and pro-Iran groups will shift the focus of some cyberattacks to industrial control systems used by power grids, manufacturing and oil refineries to create a widespread crisis. According to Forbes, “many of these systems are prime targets for several reasons, the main being they are generally old and poorly patched and managed. They were never meant to be connected to the internet and patchwork connectivity schema were designed before cyber threats were significant.”
According to open-source reporting in late 2019, the notorious Iranian hacking group APT33 (also known as Holmium, Refined Kitten or Elfin) was already eyeing critical infrastructure for attack. Signs of the shift in focus toward the infrastructure sector include a purportedly much smaller target group in 2019 than in previous years (2,000 versus tens of thousands, respectively), plus “half the top 25 [targets] were manufacturers, suppliers or maintainers of industrial control system equipment.” Reports from 2018 also indicated APT33 was likely behind refinements in the Shamoon malware, which was used against oil companies in the Middle East and Europe.
If you have questions or concerns or would like to schedule a consultation to assess where critical vulnerabilities might exist in your cyber environment, speak with a Kroll expert today.
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Kroll's cyber risk assessments deliver actionable recommendations to improve security, using industry best practices & the best technology available.