Many cybersecurity experts expect a new cyberattack campaign from Iran in retaliation for the drone-based killing of Iranian Gen. Qassem Soleimani in early January.
While some cybersecurity professionals have observed additional activity from Iranian hackers since the attack on Soleimani — the website of the Federal Depository Library Program was defaced with a pro-Iran message a day later — many say the big push is still to come.
Other experts, however, question if U.S. defenders would be able to determine whether future attacks are fueled by the killing of Soleimani, given that Iranian hackers are already very active in their attacks on U.S. targets.
Organizations in the United States operating industrial control systems, government agencies, oil and gas companies, and energy utilities should be on alert in the coming weeks, said Richard Henderson, head of global threat intelligence at Lastline, a cybersecurity vendor. Other experts suggested defense contractors, manufacturers, aerospace firms, chemical companies, and research organizations could be targets.
“It is almost a foregone conclusion that we will now see retaliatory cyberattacks on U.S. assets by Iran,” he said. “The very nature of asymmetric warfare means that Iran has very little to lose by doing so. Cyberwarfare is now being treated as a force multiplier by smaller nations against much more powerful nations like the United States.”
U.S. targets should expect Iranian attackers to launch phishing campaigns; “wiperware,” which wipes the hard drives of targeted computers; and password spray attacks, in which hackers try to gain access to a large number of accounts using common passwords, said Sean Deuby, director of services at Semperis, a cybersecurity vendor.
“When it comes to Iran’s cyberthreat, by no means should we assume that the worst is over,” Deuby said. “Cyberattacks have become one of their key capabilities, approaching the sophistication of China, Russia, and North Korea.”
While most cybersecurity experts expect the amount of Iranian hacking activity to increase, some are not predicting a significant cyberattack from Iran. So far, Iranian hackers have targeted social media and minor U.S. government websites, said Rob Richer, an adviser at Fidelis Cybersecurity and a retired CIA executive.
“Iran or its proxies will focus on soft cyber targets,” Richer said. “Iran will try to irritate but not do such damage as to invite serious responses, cyber or otherwise, unless the situation between Iran and the United States escalates.”
For the moment, an escalation seems less likely than in early January, but “that could change immediately with an action by either side that ‘required’ some type of face-saving or more active response,” he added.
Many security experts said it’s a good time for U.S. organizations to reassess their cybersecurity defenses and attack recovery capabilities. With many breaches starting with compromised user credentials, U.S. organizations should beef up their identity security with techniques such as multifactor authentication, said Deuby.
“But just as much or even more than prevention, organizations really need to focus on their recovery strategies,” he added. “The bad guys will always find a way in.”
Organizations should have regularly tested offline backups coupled with automated recovery to protect against ransomware and wiper attacks, he suggested. “And practice, practice, practice your disaster recovery drills.”
Beyond improving defenses, much of the burden for limiting the damage lies in the hands of the two governments involved, said Eric Poynton, lead network threat hunter at Awake Security.
“De-escalating this conflict is really more about politics than cybersecurity,” he said. “One way this seems to be playing out, however, is through back-channel diplomacy. We wouldn’t be surprised if these discussions draw a red line on what kinds of cyberattacks will be considered acts of war and result in military retaliation.”
