The war of words between the United States and Iran appears to be heating up in cyberspace. In recent weeks, the tension has grown palpable as the United States leads the drive to reimpose sanctions on Iran beginning Aug. 6. U.S. President Donald Trump and Secretary of State Mike Pompeo have traded heated threats with Iranian President Hassan Rouhani and Maj. Gen. Qassem Soleimani, the leader of the Islamic Revolutionary Guard Corps' Quds Force.
Though both sides are certainly capable of direct physical attacks, conventional warfare is not in their immediate interests. Iran has embraced cyberattacks as part of its asymmetric response to its Middle Eastern rivals and the United States, and this latest round of belligerence will likely be played out through cyber actions. And even though Iran doesn't pose as great a threat as China or Russia, its persistence and reliance on unsophisticated, yet tried-and-true tactics allow it to be successful in both cyber espionage and disruptive cyberattacks.
The United States and Iran have been posturing in expectation of the resumption of sanctions in August. In this conflict, Iran can be expected to rely heavily on cyberwarfare as an asymmetric tool to use against its larger rival. A review of previous campaigns undertaken by the Islamic republic may offer a sampling of what is to come.
Digital Over Physical
On July 25, Houthi militants backed by Iran successfully attacked a Saudi Arabian Oil Co. tanker, leading the state-owned energy giant to halt shipments through the strategic Bab el-Mandeb strait. However, nothing suggests that this attack was remarkably different than numerous similar Houthi assaults. And though a plot by Iranian intelligence to bomb an opposition rally outside Paris at the end of June demonstrated Tehran's intent to conduct extraterritorial attacks, its failure also showed the Islamic republic's limitations. The physical threat posed by Iran and its proxies to Western interests and to Saudi Arabia, the United Arab Emirates, other Gulf Cooperation Council members and Israel shouldn't be forgotten, but the asymmetric nature of the conflict between Iran and the United States means that Tehran is likely to rely heavily on cyber threats in an effort to strengthen its position.
On July 20, unnamed U.S. security officials warned NBC News that Iran was preparing to launch distributed denial of service (DDoS) attacks against U.S. infrastructure. And on July 25, Symantec Corp. reported on a new Iranian hacker group it called Leafminer. The group relies on well-established tactics to target hundreds of public and private organizations across the Middle East, Azerbaijan and Afghanistan. Given the increased risk of hostile cyber activity in the current environment, it is worth reviewing hallmark tactics associated with Iranian groups.
Iran has a well-documented history of using phishing (broad) and spear-phishing (targeted) attacks. Phishing involves persuading a target to open a corrupted file in an email, thus introducing malware to a particular device or entire network and granting the attackers access or control. In 2016, Iran unleashed a second round of attacks using the Shamoon malware, which in 2012 led to the destruction of thousands of Saudi Aramco computer terminals. The malware destroyed data and disrupted organizations across the Middle East. An IBM review of the attack in 2017 revealed that the malware was introduced to many of those organizations through the dissemination of resumes, cover letters and other job application materials, which concealed malicious scripts within seemingly innocuous Microsoft Word documents.
Also in 2017, an Iranian group dubbed APT33 (an acronym for advanced persistent threat) flipped the script, sending job recruiting materials to employees within Saudi Arabia's aviation sector. The materials included links that loaded malware onto the users' devices and granted access to their companies' networks. Iranian groups play the numbers game when it comes to phishing attacks. According to a March 2018 U.S. federal indictment, one hostile cyber campaign compromised 8,000 of an estimated 100,000 targeted academics. Though an 8 percent success rate is certainly low, it can yield high numbers when the target set is large enough. In that case, academics from 21 countries received emails expressing interest in their work; the messages contained links to websites mimicking their university's login page. Any credentials entered went straight to Iranian agents, who could use them to gain access to the legitimate university websites, revealing emails, research and contact lists.
But the attacks can be highly tailored to fit a situation. In 2016, a suspected Iranian operative posed as "Mia Ash," who was depicted on a fake Facebook page as an attractive young woman, struck up a relationship with an employee at a major U.S. consulting firm. After establishing trust, "she" sent the worker some documents to review as a favor. The malware they contained allowed the operative to gain access to records on several of the firm's clients.
Mitigating these attacks requires employee training and discretion when it comes to opening links or documents from unknown or untrusted contacts. But even a single successful attack can give hackers access to proprietary accounts and networks. Email screening and anti-malware programs can block known malicious software even if employees take the bait, but as long as humans are behind the keyboard, they will continue to be the weakest link when it comes to new scripts and exploits.
That Password Won't Do
Brute password attacks are much easier to defend against. The same group that was indicted for targeting academics also successfully compromised accounts at 36 U.S. and 11 foreign companies by simply scanning the internet for corporate email accounts and using some of the most common passwords to essentially guess their way in. It worked at least 47 times, meaning that at least 47 employees were using extremely weak passwords (think 123456789, or even "password"). The Leafminer group also used this tactic. A slightly more sophisticated spin on this tactic involves scanning databases for previously breached usernames and passwords and trying those passwords with similar usernames on other accounts. This practice yields access often enough. To strengthen security for usernames and passwords means not allowing the most common combinations and not allowing password recycling. Password management software can generate complex combinations and store them securely.
Infecting Everybody Who Visits
One of Iran's most active cyber groups goes by the name Charming Kitten and has been associated with at least two so-called watering-hole attacks, which target website visitors, this year. In July, the group disguised a malware file as a link to a cybersecurity conference on a Los Angeles Jewish community newspaper's website. Small organizations with low or nonexistent security budgets such as this website are more susceptible to this tactic. However, the Leafminer group proved more sophisticated, compromising websites owned by the Lebanese government, a Saudi health-care service and an Azerbaijani university in order to infect visitors. Charming Kitten has also concocted websites with addresses that mimic legitimate ones. It added ".net" to the domain name for the German news service Deutsche Welle (www.dw.com) and created the fictitious British News Agency to persuade inattentive targets to click links that download the malware.
A History of Mass Attack
There is good reason to heed the July 20 warning by U.S. security officials about a DDoS attack. From 2011 to 2013, Iran carried out a series of successful DDoS attacks against major financial institutions, disrupting their online services and costing them tens of millions of dollars. It even tried to shut down a hydroelectric dam in New York. DDoS attacks attempt to overwhelm networks with fraudulent requests designed to block legitimate users from accessing the services. The 2011-13 attacks served as a kind of wake-up call to companies of the disruptive threat that such attacks can pose to businesses whose customers have grown to rely on instantaneous, 24/7 connectivity. Even a few hours of downtime can lead to millions in lost revenue and reputational damage. While many services have cropped up in recent years to identify and block these attacks, the proliferation of connected devices — through the internet of things — means that attackers have more potential weapons to use. One such company dedicated to blocking DDoS attacks, Dyn Inc., was itself successfully targeted in a massive 2016 attack, which harnessed hundreds of thousands of unprotected devices.
As geopolitical tensions rise, Iranian cyber groups will continue — and likely increase — their targeting of public and private organizations.
But not all attacks are aimed directly at the end targets. The cyberattack cycle is defined by a continuous effort to increase access and authority in order to get closer to the intended target. In Iran's case, the prey includes the governments of the United States, Saudi Arabia and other Gulf countries as well as their private-sector partners. An attack might start by targeting an academic or private-sector employee who may have nothing to do with Iran but whose email account carries more legitimacy and is therefore more likely to persuade a follow-up target to open a corrupted document or click a malicious link. In intelligence parlance, a compromised email account can be used as the attacker's cover for status. Multiple campaigns attributed to Iran (as well as to other state-backed and criminal groups) have exhibited this behavior, highlighting the importance of always using discretion when opening files or clicking links, even when sent by seemingly legitimate accounts.
As geopolitical tensions rise, Iranian cyber groups will continue — and likely increase — their targeting of public and private organizations. The good news is that the tactics they have traditionally used can be defended against with awareness and knowledge of how their deceptions work. Iran plays the numbers game, but most people can avoid having their ticket punched.