Byron Acohido, 30 January 2020
Long stretch of reconnaissance, malware plantings position Iran to carry out varied attacks on the U.S. and its allies
Less than 48 hours after the killing of Iran’s General Qasem Soleimani, the U.S. Department of Homeland Security issued a bulletin calling out Iran’s “robust cyber program,” and cautioning everyone to be prepared for Iran to “conduct operations in the United States.”
In fact, strategic cyber operations essentially pitting Russia and Iran against the U.S. and Saudi Arabia have been steadily escalating for at least the past decade, with notable spikes in activity throughout the course of 2019.
The Soleimani assassination simply added kerosene to those long-flickering flames. Since the killing, there has been a marked increase in probing for vulnerable servers – focused on industrial control systems in facilities in both the Middle East and North America. This escalation of reconnaissance is being closely monitored by the global cybersecurity and intelligence communities. Jeremy Samide, CEO of Stealthcare, a Cleveland-based cyberthreats intelligence gathering consultancy, is in the midst of it.
Samide and other experts say what’s coming next is very likely to be a series of varied attacks as combatants on all sides leverage footholds gained from ongoing intelligence gathering and malware planting. Evidence of this gelling scenario are called out in a recent report from Dragos, a Maryland-based supplier of industrial controls security systems, and also in a technical report issued earlier this month by Saudi Arabia’s National Cyber Security Center.
“This isn’t something that’s going to happen overnight,” Samide told me. “Iran’s response will be long and drawn out. There will very likely be a number of smaller and medium-sized attacks, culminating in a larger attack that will be highly coordinated and strike at just the right time. And it might not be Iran directly retaliating alone. It very well could involve multiple state actors, adversarial to the West, joining forces to co-ordinate an attack, or even multiple attacks.”
There has been plenty of news coverage of certain high-profile Iranian and Russian cyberattacks; not nearly as much on clandestine U.S. and Saudi cyber operations. Clearly, the U.S. is no patsy. The drone strike taking out Soleimani itself demonstrated America’s singular ability to potently blend cyber ops with physical firepower.
“Adversaries should remember that our military doctrine identifies cyber as one of our combined arms capabilities,” says Greg Touhill, president of AppGate Federal Group, a Florida-based supplier of software perimeter security systems. “To ignore U.S. cyber capabilities working in conjunction with our other instruments of power would be foolish.”
Here are a few key things everyone should understand about the cybersecurity ramifications spinning out of the Soleimani assassination.
There was strong anti-American sentiment woven into the Shamoon “wiper” virus that devastated Saudi oil company Aramaco in August of 2012. Shamoon wiped clean the hard drives of more than 30,000 Aramaco computers forcing a weeklong shut down of the company’s internal network. Buried in the Shamoon code was an image of a burning American flag, intended as an admonishment to the Saudi government for supporting American foreign policy in the Middle East.
“Many years ago, the Iranians realized that if they attempted to challenge the United States in conventional warfare, they would quickly lose,” Touhill told me. “As a consequence, they invested in asymmetric capabilities, especially cyber operations, and employed those capabilities for well over a decade against the United States and other target sets. The cyberattacks against Saudi Arabian oil infrastructure are an indication of their capability and intent to adversely affect critical infrastructure.”
When it comes to cyber warfare, America is no shrinking violet, of course. One prime demonstration of U.S. cyber ops capability is Stuxnet, the self-spreading Windows worm found insinuating itself through Iranian nuclear plants in 2010. Stuxnet was discovered only because it caused computers to shut down and reboot repeatedly. That was a glitch. Stuxnet was intended to quietly gain deeper footholds and thus remain in prime position to access industrial controls of Iranian plants at an opportune moment.
It’s notable that hacks to gain access to, and maintain control of, industrial control systems are a recurring theme in cyber warfare. Russia has twice now knocked out Ukraine’s power grid for extended periods, in the Industroyer attacks of December 2015 and again in December 2016.
And hackers linked to the Russian government were reportedly behind the Triton hack of 2017, as well, as disclosed by security vendor FireEye. In the Triton attack, the hackers managed to gain control of the Schneider Electric Triconex Safety Instrumented System (SIS) inside a Saudi petrochemical plant. Shneider SIS systems serve as a failsafe mechanism in all types of large industrial plants; they automatically shut down industrial processes when operating parameters approach a dangerous state.
Try and try again
Similar to what happened with Stuxnet, a glitch tripped up the Triton hackers – they outed themselves by inadvertently triggering an unnecessary shutdown. The rather remarkable Saudi technical report I cited above supplies very recent evidence that the targeting of industrial control systems has become a staple of modern cyberwarfare. The big takeaway I got from this report is that determined hacking groups will try and try again.
The Saudis aren’t known for being transparent. That’s what makes the report, issued by the Saudi NCSC, so surprising. It describes malware being iterated by hackers who’ve clearly been doing this for a long while. The report discloses a new strain of wiper malware, dubbed Dustman, found to be targeting entities within the Middle East through the course of 2019. Saudi analysts intercepted a copy of Dustman and watched as it detonated on Dec. 29. Here’s what the analysts observed:
“Dustman has different characteristics when compared to the multiple wiper malwares that have been observed through the years, especially the Shamoon variants, although they all use the same third-party driver, Eldos RawDisk. Furthermore, Dustman varies in terms of techniques and capability, when compared to Shamoon… from the observed behavior and capabilities, Dustman can be considered as a new variant of ZeroCleare malware.”
One high-level takeway from the Saudis’ Dustman report is that it sheds light on the level of persistence and creativity of very focused threat actors who appear to have made a career out of hacking industrial controls. It also shows that the Saudis have come a long, long way with respect to better protecting their industrial infrastructure.
“The Saudi Aramaco attack changed everything for that part of the world,” says Roger A. Grimes, a data defense expert at cybersecurity training vendor KnowBe4. “Before that, Middle East computer security was almost non-existent. But losing 32,000 computers, servers and workstations, and the shutting down of the number one wealth producer for the country had a way of creating focus. Saudi Arabia and its allies worked very hard to come up to speed.”
Yet Saudi Arabia can ill afford to rest on its laurels. And neither can its chief ally, the U.S. The Soleimani assassination has heightened motivation for Iran, and its chief ally Russia, to develop more potent strains of malware to gain strategic advantage. And there is more incentive for criminal hacking collectives, whether sponsored by any given nation state or not, to step up their routine activities of probing, targeting and breaching.
As geopolitical tensions between the U.S. and Iran heated up through the course of 2019, so did intel gathering and malware planting by the cyber operatives, presumably on all sides. Stealthcare, for instance, closely monitored how much attention got focused on seeking out systems exhibiting certain unpatched Microsoft Windows vulnerabilities.
The endgame through the course of 2019 was mainly to identify specific vulnerable systems, and then sell access to such systems, Samide says. “You can easily purchase access to vulnerable U.S. infrastructures and those of its allies,” he says. “We can see them selling access to systems across Asia, Europe and North America, broken down, city by city.”
Essentially, access to a breadth of vulnerable systems is readily available and theoretically could be marshaled by any focused adversary intent on disrupting the U.S. electrical grid. The Drago report lends color to this looming threat, a threat that was in place when a U.S. drone fired on Gen. Soleimani’s carcade.
Issued a few days after the killing, the report assesses cyber risks of North American electrical utilities, identifying 11 hacking groups that target energy sector companies. The report cites examples of numerous intrusions of industrial controls for reconnaissance purposes, noting that this is playing out up and down the supply chain. Hackers seeking to get in position to take over control or otherwise disrupt utilities are seeking paths through original equipment manufacturers, third-party vendors, and telecom providers.
The report goes on to describe how a group of state-sponsored hackers, referred to as Elfin or APT33, carried out extensive “password-spraying” attacks. They use a botnet to feed a large number of usernames and passwords into accounts associated with the targeted entity. The end game was to implant malware designed to put the attacker in position to cause prolonged outages, equipment destruction and potential injury to humans.
“These groups are looking for ways to cause the greatest amount of disruption with the least amount of effort possible,” says Jason Kent, hacker in residence at Cequence Security. “Attacks like these have been going on for a long time but in the wake of what has transpired, I would expect the sophistication and level of intensity to increase.”
We’ve now reached the point where nation-state adversaries understand the value of probing for soft spots down the supply chain, and tactically moving to usurp control from that perch. We’re coming off an extended period of intel gathering and malware planting, presumably by all sides. Cyber strikes, alone or with the coordinated help of an ally, appear to be Iran’s only tangible weapon.
The U.S. struck a resounding blow, and Iran has vowed to retaliate. As we wait for what comes next, the one thing you can do as an individual is reduce your digital footprint. And as a company decision maker, you can promote cyber hygiene. For whatever’s coming, it can make a difference.