Christopher C. Krebs, Director of Cybersecurity and Infrastructure Security Agency issued a warning about a potential new wave of Iranian cyber-attacks targeting U.S. assets after Maj. Gen. Qassim Suleimani was killed by a U.S. airstrike at the Baghdad airport in Iraq.
“Given recent developments, re-upping our statement from the summer,” Krebs said in a rare warning on Twitter.
“Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS,” he added. “Make sure you’re also watching third party accesses!”
“The Department of Homeland Security stands ready to confront and combat any and all threats facing our homeland,” Acting Secretary Chad F. Wolf also said today in a statement.
“While there are currently no specific, credible threats against our homeland, DHS continues to monitor the situation and work with our Federal, State and local partners to ensure the safety of every American.”
Given recent developments, re-upping our statement from the summer.
Bottom line: time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS. Make sure you’re also watching third party accesses! https://t.co/4G1P0WvjhS
— Chris Krebs (@CISAKrebs) January 3, 2020
Statement on June 2019 data wiper attacks
CISA also warned in June 2019 of an increase in cyberattacks utilizing destructive wiper tools targeting U.S. industries and government agencies by Iranian actors or proxies.
According to Krebs’ June statement on Iranian cybersecurity threats also published on Twitter, these attacks were conducted using common tactics such as credential stuffing, spear phishing, and password spraying.
“What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network,” CISA’s Director said.
While Krebs’ statement did not point to any specific attack, previous attacks that utilized wiper malware show the amount of damage they can lead to:
- In 2012, Shamoon was used as a political protest against Saudi Arabia, leading to the destruction of data on more than 30,000 computers.
- In 2017, the NotPetya wiper used the EternalBlue exploit to infect vulnerable systems.
- Again in 2017, another anti-Israel & pro-Palestinian data wiper dubbed IsraBye pretended to be ransomware.
- In 2018, a SWIFT banking hack utilized the KillDisk wiper to destroy data and takedown roughly 9,000 computers and 500 servers to mislead security teams while the hackers swiped around $10 million.
- Also in 2018, yet another wiper called Olympic Destroyer was used to attack the Pyeongchang 2018 Winter Olympics’ computer systems.
Tonight’s elimination of Qasem Soleimani might bring some retaliation from Iran, specially from the Revolutionary Guard. As a reminder here are a few cyber operations previously conducted by Iran: Shamoon, Ababil, SamSam and many others. Watch your logs. pic.twitter.com/A2x9MqmtLM
— Omri Segev Moyal (@GelosSnake) January 3, 2020
Krebs suggested the following CISA bulletins to those who want to learn more about how to effectively protect against such attacks:
For those who are only interested in the best way to defend against a wiper malware attack, having a working backup of all the data is the best way to get back up and running just like in the case of a ransomware infection.
With a secure and safe backup, even if attackers are able to gain access to your network or computers and wipe data, you can simply and quickly restore all the data.
“Iran has leveraged wiper malware in destructive attacks on several occasions in recent years,” John Hultquist, FireEye Director of Intelligence Analysis adds. “Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations.
We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.”
“We are already seeing Iranian disinformation efforts by these networks surrounding last night’s strike, and the U.S. should expect that Iranian influence efforts surrounding the U.S. will increase over the coming days or weeks as political developments evolve,” Lee Foster, FireEye Intelligence Information Operations Analysis Senior Manager, also explains.