Over the last decade, Iran has waged several destructive cyber attacks against governments and private companies, becoming infamous for its deployment of wiper malware as well as its retaliatory attack strategies.
As of the end of 2021, in addition to launching attacks on governments and nation-state resources, Iran has been increasing its focus on attacking private companies such as utilities, oil companies, and telecommunications organizations. Among other tactics, Iranian cyber attack groups have been utilizing ransomware to collect funds and/or disrupt their targets’ operations, applying stealth, patience, and persistence in the early phases of an attack. This means that in addition to Russia and China, Iran is a dangerous cyberspace opponent that we must all protect ourselves against, whether we work in the private or public sectors.
How did we get here?
Post-Arab Spring, Iran has been protecting its assets in cyberspace oftentimes using imported technology from China and Russia. Iran’s regime considers a domestic uprising to be an existential threat. As domestic Iranian protest organizers expand their influence on the internet, the regime monitors its own citizens and even revokes internet freedoms inside the country. It infiltrates the websites and email accounts of political dissidents and routinely censors online content and communications, actions that reflect totalitarian regimes and are in complete contrast with the ideology in western democracies, to maintain an open and free Internet experience.
Iran’s leadership believes its primary threats come from foreign powers and therefore its relationship with western democracies and other countries in the middle east remain tense. Unsuccessful nuclear deal talks and sanctions have left the Iranian regime in a continual state of both crisis and war-footing. The Soleimani assassination by the US in 2020, the shooting down of a Ukrainian airliner by Iran, and continued conflict over the development of Iranian nuclear capabilities have all motivated offensive cyber actions and investments.
A risk-averse player, Iran prefers asymmetric warfare strategies to succeed with political and military goals. Cyberwarfare provides the country with a low-cost means to conduct espionage and attack adversaries with superior military and technological capabilities such as the United States. Cyberspace is therefore an optimal choice for an attack as it allows Iran to exploit enemy vulnerabilities at low intensities and low costs to buy and deploy, with high impact and significant potential financial gain. With COVID-19 hitting Iran particularly hard, cyber attacks are even more attractive now than ever before.
What are the Iranian cyber capabilities?
Iran’s cyber attack capabilities rest among a few key institutions:
- The Iran Passive Defence Organization, which founded the Iranian Cyber Headquarters in 2011. This organization centralized the regime’s cyber activities while holding a mandate for the protection of the country’s infrastructure.
- The Iranian Army – focused on securing the country
- The Iranian Revolutionary Guards – focused on securing the Islamic political system
The main recent change in Iran’s cyber attack capability has been a heavy reliance on contractors and freelancers. This has been caused by the economic embargo and lack of resources, which has forced Iran to develop creative solutions for its cyber attack groups – and blurs the lines between espionage/state-attack/criminal groups.
From a cyber-defense perspective, Iran benefits from Chinese and Russian surveillance technologies which are deployed domestically. Fortunately, it seems that cyber attack technologies from these nations are not shared in the same way – forcing Iran to focus on building its own cyber attack program, which is slower and more expensive.
While Iranian cyber offenders are not considered very advanced in terms of their technical sophistication, the regime’s focused plans for aggressive and destructive cyber campaigns exponentially increase the threat potential posed to organizations in countries that oppose Iran. Highly disruptive attacks, ostensibly carried out at the behest of the Ayatollah, have included drive-wiping attacks against Saudi oil companies and large-scale denial of service attacks against the U.S. financial sector. These campaigns have displayed contempt and indicate the regime’s design to retaliate within the cyber domain.
In the last two years, we have been following dozens of malicious cyber campaigns attributed to Iran cyber attack and threat actors, and we can see the regime’s plan has come full circle with a full-fledged program to harass, disrupt, and punish its adversaries across the Middle East and the globe.
What this means for your organization
Having generally touched on the threats, motivation, and capabilities of the Iranian regime, we can clearly understand the challenge facing organizations in Iran-opposing countries that must take new actions to secure themselves. Not every organization will need to add Iran to its threat register, and there are other nation-state grade threats that may be higher up on the list for the majority. However, there are many organizations that should be concerned, particularly across the US and the Middle East. Areas of focus may include:
- Finance/banking (continuous attacks focus on this sector)
- Energy/oil and gas (Iran is advancing its industrial control attack capabilities)
- Utilities
- Government/military
- Telecommunications
This is not an exhaustive list; Iranian cyber operations are documented across the world and in virtually every industry. A threat profile will be determined by each specific organization.
This means that many organizations will have to adopt new defensive strategies if they wish to keep their data and assets secure and avoid catastrophic consequences.
What to expect in 2022 and beyond?
At HolistiCyber we anticipate growth in sophistication and frequency of Iranian cyber attacks through 2022 and beyond, with global and regional targets being selected based on the fragile geopolitical situation. We also expect to see more private companies being targeted with their malware and other cyber warfare.
The number of Iranian cyber attack campaigns documented by the cybersecurity community in just the past two years is indicating a significant volume of operations at the direction of the regime’s political and military leadership, which raises the likelihood that there are additional, ongoing attacks in stealth mode that have not yet been detected.
We have found that when dealing with nation-state grade threats, most enterprises being attacked by Iranian hackers lack the tools, knowledge, and experience to protect their data and assets. The increase in attacks and sophistication exhibited by Iranian cyber groups suggests that the threat is accelerating, and countering such threats requires new and innovative defenses and countermeasures. Additionally, from a tactical vantage point, enterprises must have a strategy to detect their cyber security gaps and vulnerabilities continuously to protect themselves against these evolving new threats.
Nation-state grade threats frequently target industries with the same vulnerabilities, escalating attacks through the Cyber Kill Chain. Many enterprises are not even aware that they have been attacked. A new approach is becoming increasingly necessary to detect vulnerabilities, risks, and attacks and to prevent catastrophic consequences from occurring.
What should we do about these threats?
An offensive framework methodology build from both simulated attacks such as penetration tests, red team blue team simulations, tabletop exercises, etc., and organizational defense enables governments and enterprises to defend against these emerging nation-state grade threats in real-time while making sure that productivity isn’t hindered. This method considers threats alongside each organization’s unique attack surface, vulnerabilities, and business needs and the analysis of how each risk would affect the organization’s operations and potential financial losses. This data provides a risk tolerance score. Past a certain risk tolerance threshold, certain risks become unbearable for the company to sustain business and must be dealt with forcefully and promptly.
Having a clear cyber defense plan with prioritization of the vulnerabilities posing an immediate threat to business functionality versus some that can be dealt with later, is the key to protecting organizations against Iran’s threats and many others.
To learn more, book a conversation with us today.