Cybersecurity Has Changed Forever

Does the Iranian Threat of Cyber Retaliation Change the Way We Need to Think and Prepare for Attacks?

The U.S. strike that killed Qassem Soleimani could have a dramatic impact on how we prepare for and respond to cyberattacks in the United States as Iranian cyber actors have significant experience in destructive “wiper” attacks that have historically not targeted the U.S. mainland.

The cybersecurity threat most companies have faced historically is data exfiltration. The attackers break into a system, elevate their access, download sensitive data, and extort or sell the data for a profit or influence. The data is not lost, the systems are still operational, and the company has to deal with both the embarrassment and potential regulatory fines for the loss of sensitive data. In this type of incident, the company’s operations are not impeded.

On the other hand, ransomware is a more malicious attack where the data is locked or system access is blocked and operations are impacted but, in many cases, a company is able to pay the ransom to the extortionist or restore data from backups to resume its operations. In the past few years these forms of attack have been increasing in frequency with targets particularly focused on local governments and healthcare, both of which lack the sophistication to prevent such attacks.

The History of Iranian Cyberattacks

Iran, itself, has been severely impacted by debilitating and extremely advanced malware campaigns since at least 2009. Some famous examples of these sophisticated efforts include industrial sabotage via Stuxnet (2009 – 2010), espionage with Duqu (2009 – 2011), and Flame (2012). These campaigns have targeted Iran’s nuclear program and oil and gas operations. Stuxnet was an eye-opening event for Iranian authorities, exposing them to the world of physical destruction via electronic means. As time progressed, the attacks became “wiper” campaigns that wiped out entire systems to the point that data was not recoverable.

By 2012, Iranian actors had begun to turn the tables, with the vengeance of a victim. They attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.

In 2012, a major retaliation “wiper” campaign, known as Shamoon, targeted and impacted the energy sector in the Middle East. It’s estimated that Shamoon impacted over 35,000 computers and organizations spent tens-of-thousands of hours recovering from the attacks. The direct monetary costs from this retaliation and the amount of downtime experienced were staggering. Shamoon was truly a breakpoint event for security defenders. It was the first indications of the capability and intent of Iranian cyber skills.

Previous attacks attributed to Iran have, for the most part focused, on the Defense Industrial Base (DIB), the United States Federal Government, or targets in Middle Eastern countries. Other operations have shifted focus to a wider variety of targets, including energy producers and utilities, commercial airlines and airports, military intelligence, aerospace, hospitals, and even universities – with only ten of the targets based in the United States.

Where Is Iran Today?

The Iranian government has long been an “enemy” of the West, and the United States in particular, but today stories run the gamut from nuclear capability, to human rights, to terrorism, to cyber warfare, and revenge. Iran’s cyber sophistication has grown rapidly since the dawn of Stuxnet and they have used hard dollars combined with national pride to help build a cyber army. Few doubt Iran’s commitment as a government and nation-state to funding and recruiting cyber warriors to infiltrate and damage their enemies. They have long desired power on the political stage, in particular in the fight for nuclear power autonomy.

The government of Iran, and particularly the Islamic Revolutionary Guard Corps (IRGC), is backing numerous groups and front entities to attack the world’s critical infrastructure. As security experts in Critical Infrastructure and Key Resources (CIKR), Industrial Control Systems (ICS), Supervisory Control and Data Acquisition (SCADA) systems, Building Management Systems (BMS), embedded systems and fixed-function systems, we know how easy they are to hack. We have worked with countless organizations throughout the years to notify them of vulnerabilities, assist with remediation efforts, and help mitigate threats to their environments. Unfortunately, many critical infrastructure organizations are unable to secure their complex environments against modern attacks – – healthcare, in particular.

These changes on the global stage will increase risk as well as the need to mitigate and manage all cyber risks. In the current tense situation, it may make sense that Iran or their agents might target the energy sector or the power grid – where they have previously launched “successful” attacks in multiple countries across the globe. Unfortunately, we must recognize that healthcare is one of 16 critical infrastructure sectors and is behind in terms of cyber protection and resiliency. Despite major efforts in the last decade the sector still lags and offers many opportunities for skilled hackers.

It should be noted that Iran also has large influence operations. In 2019 Twitter said it removed nearly 4,800 accounts based in Iran. Iran is also active in intelligence collection. One of the more infamous attacks was known as “Chafer,” targeting the travel industry where travel records were gathered in a likely attempt to understand which individuals were pro/con the regime by understanding travel patterns.

What Has Changed?

Intelligence collection – this becomes an asset in whatever the Iranians may be planning and is exactly why they have been gathering data across the globe in the first place.

Offensive operations – this is where we are likely to see a significant change. Most of the dialog to date has been focused on attacks to critical infrastructure such as water, power, and the energy sector. This is pulling from their old playbook where the intent of their operations was to drive economic gain. By attacking the oil and gas infrastructure of their regional competitors, they drove up demand for their own energy.

The intent now becomes political in nature – figuring out how to drive an impact and prove that they can operate on the world stage. Targeting the energy sector is an economic target. Consequently, their “weapon” of choice is a series of “wiper” attacks. Where could they target differently to gain a political impact of significance on U.S. targets and a target that would clearly hit the U.S. population? Look no further than what you can learn from recent ransomware attacks in local governments and healthcare.

If the Iranians pivot their targeting, they already know they can be successful. In fact, they can buy ransomware targets from the criminal underground where pwned (player owned) targets are readily sold. The difference is that rather than deploying malware that will facilitate a payment and unlock infrastructure, they can destroy it with “wiper” malware.

What Does it Mean for Healthcare?

Hitting state and local governments is a solid political target. It gains significant attention and state and local government defenses are not as mature or robust as the U.S. government or finance. If you consider the similarities and frequency of attacks in healthcare (ransomware, for example), healthcare could be another political target. Consider how when an attacker takes down a hospital…patients often must be diverted to other facilities for care and it can have a long-lasting regional impact. Also, keep in mind that healthcare represents almost twenty percent of the Gross Domestic Product, making it an even more attractive political target. Healthcare organizations should be prepared for such an attack.

The issue with ransomware is that you may have the chance to “buy” your data back and you may have backups that can be restored, however with these destructive “wiper” attacks, you are down to a bare metal environment – – no operating system, no applications, etc. Everything is gone, not just the data. This will change how organizations respond. Even if the attacks target the “grid,” their typical target and ICS systems in energy, it will impact healthcare where power outages are usually planned for durations of around three days, not extended periods.

How Do I Prepare?

Security Best Practices

First and foremost, you should be implementing security best practices if you are not already. Some things that should already be in place include:

• Reduce privileged accounts within the environment.
• Implement multifactor authentication (MFA) throughout the environment.
• Baseline internal network activity and monitor for possible lateral movement.
• Patching is critical to preventing exploitation of existing vulnerabilities and subsequent remote compromise.
• Enact PowerShell protections.
• Have backups, test backups, and keep offline backups.
• Store backups apart from the primary network and only allow read only access to the backups.
• Those with responsibility for setting up backup systems should also ensure they are available not only in cases of fire, flood, and earthquakes—disaster continuity—but that they are safe from the reach of attackers who may be searching for them internally.
• Consider an action plan for quickly establishing a temporary business functionality.

Incident Response

In addition to your ongoing security plans, having a well-documented and thought out incident response plan is more critical now than ever. It should address completing and testing response plans under pressure. Use well-tailored tabletop exercises and, ideally, a cyber range simulation to ensure your organization is ready, both tactically and strategically, for destructive malware attacks. Exercising incident response procedures also provides an opportunity to cultivate a culture of security within the organization and get leadership involved so that they understand the situation and can make the best decisions at the right time. Mature response plans require testing and adjustment, and with proper training, defenders can work to ensure that team members know the plan and will be able to implement it effectively when the time comes to respond and remediate.

Threat Intelligence

Utilize resources from organizations such as H-ISAC and ISAOs to understand the risk to your organization. Each threat actor has different motivations, capabilities, and intentions, and threat intelligence can help provide insights that increase the efficacy of an organization’s preparedness and eventual response to an incident.

Don’t Rely on Cyber Insurance

Many do not realize that cyber insurance WILL NOT PAY in a destructive attack if it is considered an “act of war” from a foreign nation versus a criminal act. This devolves into an interesting legal dialog about who can declare or define an act as warfare. Check your cyber insurance policy, as it is most likely not going to pay if a foreign nation wipes out your entire system.

Resources

https://www.cylance.com/content/dam/cylance/pdfs/reports/Cylance_Operation_Cleaver_Report.pdf

IBM’s Combating destructive malware: Lessons from the front lines August 2019

2019ibmSecCombatingDestructiveMalwareReport_Final6

https://www.cshub.com/attacks/news/incident-of-the-week-shamoon-virus-cripples-hundreds-of-computers

https://www.us-cert.gov/ncas/alerts/aa20-006a

https://h-isac.org/

https://www.cisa.gov/information-sharing-and-analysis-organizations-isaos

Further Media:

Podcasts: CynergisTek CEO Caleb Barlow just recorded two podcasts where he provides his knowledge and previous experience from leading IBM’s X-Force Threat Intelligence Team^* that responded to devastating wiper attacks.

• Listen to The CyberWire Daily Podcast, “No Major Iranian Cyberattacks Against the U.S. so Far as Both Sides…” 
• Listen to HealthInfoSecurity’s podcast, “Preparing for Potential Iranian Wiper Attacks” 

Other Industry Sources

• Alert (AA20-006A) Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad
• What the Iran Situation Means for Health Data
• DHS National Terrorism Advisory System
• CISA Insights January 6, 2020