Experts warn not to underestimate Iranian cyber capabilities. In the weeks since the United States executed a drone strike that killed Iranian general Qasem Soleimani, the cybersecurity world has braced for an attack. Prior to the assassination of Soleimani, Iran had already demonstrated it’s ability to successfully hack critical infrastructure and many worried it was only a matter of time before the nation launched a retaliatory cyber attack against critical infrastructure in the United States.
Since then, Iran has retaliated with a missile strike on two Iraqi bases housing U.S. military forces. Iran also claimed responsibility for shooting down a Ukrainian passenger jet. But things have been largely quiet on the cyber front.
Cybersecurity experts believe Iranian cyber capabilities may be significant and they could merely be biding it’s time before mounting and attack. They say now is the time to strengthen the United States’ cybersecurity before tensions reignite.
“Tensions between Iran and the US have simmered after Tehran admitted it mistakenly shot down a Ukrainian passenger jet, killing all 176 people onboard,” says Rob Scammel, technology deputy editor for GlobalData, a data analytics and consulting company. “While the rhetoric on both sides has been dialled down, cybersecurity experts warn that any Iranian cyber-response would likely come in the coming weeks and months – not imminently. This is in part because Iran, in all likelihood, does not currently have the access to US computer systems that it needs to launch what it deems a commensurate response. When carrying out a cyberattack, hackers often use a process known as ‘lateral movement’ to move around the target’s network, searching for the key data and assets before striking.”
While no large scale cyber attack has been detected, in the aftermath of the U.S. drone strike, low sophistication cyber attacks have been observed. These include the defacement of a website, which conveyed politically motivated pro-Iranian and anti-American sentiments. However experts preach vigilance as Iranian cyber capabilities may prove to be significant.
Experts say these attacks were likely conducted by individuals or disorganized threat groups, not the Iranian government. However, they caution that just because an attack hasn’t been detected, doesn’t mean an attack hasn’t occurred.
“We did not see much more than that, but of course it isn’t that simple,” Malcolm Taylor, director of cybersecurity at ITC Secure said in a GlobalData the release. “For example, it could be argued that a very strong Iranian cyber response may well have gone unnoticed – and could be in the form of laying down capability for later in case of increased tension with the US.”
Experts suggest that Iran has yet to attack because the nation’s operatives are working to develop the capability to successfully execute an adequate attack.
“Given the fact that we didn’t see anything in the immediate aftermath that was cyber-related, tells me that they probably didn’t have the assets that they needed to be able to pull off a proportionate response,” Dave Weinstein, chief security officer for cybersecurity firm Claroty said in the release. “So what we’ll see I think in the coming weeks and in the coming months is just more and more operations geared at gaining that access.”
However, while Iran might not have the full capability to carry out a crippling cyber attack, the nation has already targeted government, military and critical national infrastructure targets in the United States, as well as the petrochemical industry abroad. According to a recent report by cybersecurity intelligence company CyberInt, the nation is likely to continue targeting these areas.
CyberInt’s recent report looks at Iranian cyber capabilities and threats. According to the report, previous Iranian cyber activity indicates watering hole attacks could be utilized. The country has also demonstrated a history of attacking supply chains in an effort to infiltrate their intended targets. Common techniques used by Iranian threat groups also include the delivery of spear phishing emails and job vacancy lures.
“As such, and in accordance with the threat landscape as a whole, organizations should seek to eliminate these oft-used attack vectors by educating their users and practicing good cyber hygiene by ensuring systems are patched regularly,” the report says. “Additionally, users, especially high-risk individuals, should be cautious of social media interactions with unknown and untrusted parties as Iranian threat groups have been known to attempt to conduct social engineering and disinformation campaigns via common social media platforms.”