The Department of Homeland Security on Monday issued guidance to U.S. companies and government agencies on securing their computer networks following the killing last week of a top Iranian general.
The advisory from DHS’s Cybersecurity and Infrastructure Security Agency acknowledges the considerable capabilities at Iran’s disposal should the Islamic Republic choose to retaliate in cyberspace, and urges organizations to consider whether they make an attractive target for Tehran’s hackers.
Iran and its proxies have a history of “disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and an increased interest in industrial control systems and operational technology,” the advisory says. Iranian operatives could also steal intellectual property or conduct cyber-espionage “to enable a better understanding of our strategic direction and policy-making,” according to CISA.
“Review your organization from an outside perspective and ask the tough questions—are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?” the advisory states.
CISA also on Monday released a more technical advisory to security professionals that included a list of techniques associated with Iranian hacking groups and how to combat them.
The U.S. killing of Maj. Gen. Qassem Soleimani, who was the architect of Iran’s foreign military operations, was a major escalation of tensions in an already fraught U.S.-Iran relationship. The primary U.S. concern will be with Iranian retaliation through physical violence carried out on U.S. personnel or allies. But hacking could very well factor into Tehran’s response.
Experts told CyberScoop that U.S. companies and government agencies should be mindful of Iranian operatives’ penchant for data-wiping malware and their recent interest in industrial control systems.
In an assessment of terrorism-related threats from Iran, Acting Homeland Security Secretary Chad Wolf mentioned the role that hacking could play in Iran’s retaliation for Soleimani’s killing.
“Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” Wolf said in an advisory on Saturday.
And, of course, Iran could use cyber-espionage to collect intelligence for a physical attack.
“Iran, like others, has recently focused on moving upstream by compromising telecoms and travel. That way they can identify and track specific people,” tweeted John Hultquist, director of intelligence analysis at security firm FireEye.
Some coalescing thoughts on Iran's cyber capability. The first is that while cyberattack (disruption/destruction) is on the table, the most consequential capability may be cyber espionage. There will be cyber espionage against gov/mil targets as well as personnel of interest. 1/x
— John Hultquist (@JohnHultquist) January 5, 2020
To conduct that espionage, Iranian hackers could turn to Domain Name System records. Dubbed the “phone book of the internet,” the DNS system translate a domain name to a valid IP address, sending a user to the website they are trying to access. Hackers have previously used compromised DNS servers to try to steal login credentials and conduct espionage at government agencies in the Middle East, according to private-sector researchers.
A year ago, DHS’s CISA grew so concerned by the threat of DNS hijacking that the agency issued its first emergency order to federal civilian agencies that instructed them to secure their DNS records. The order gave agencies 10 business days to implement important security practices such as adding multi-factor authentication to their DNS accounts.
While U.S. government agencies have made progress on DNS-related security in the year since the DHS directive, Iranian computer operatives could look for another weakness to exploit in future hacking operations.
In the advisory issued Monday, CISA urged companies and government agencies to closely monitor network traffic, including data flowing into industrial control systems.
“Flag any known Iranian indicators of compromise and tactics, techniques, and procedures for immediate response,” the memo says.