Cyberwarfare with Iran – DHS Issues National Terrorism Advisory System Bulletin

Cyberwarfare with Iran

Cyberwarfare with Iran How to Prepare for the Potential Cyber Security War Between the US and Iran DHS Issues National Terrorism Advisory System Bulletin

A cyberwar with Iran is an increasing possibility as tensions increase and the volley of retaliatory attacks continue. Iran maintains a robust cyber program and has strengthened its hacking groups’ skills in the past ten years, and although they are still not the most technically talented state-sponsored hackers, they have already successfully attacked the U.S. and can definitely cause more damage. The U.S. Department of Homeland Security (DHS) has issued a National Terrorism Advisory System Bulletin. This means critical infrastructure like electricity and medical care are vulnerable to crippling cyberattacks. Smartphones, routers, and laptops are more vulnerable than ever to Iranian hackers looking for revenge.

Private-sector industries – banking, health care, and energy – are likely targets of an Iranian state-sponsored hacking groups. Major cities like Atlanta, Boston, Baltimore, and New Orleans were all attacked by ransomware in 2019, shutting down services and operations to millions of residents proving just how disruptive and expensive hacking offices computers can be.

We have seen that Iran has infiltrated Western critical infrastructure including banks, dams, and universities. Following the assassination of Iran Revolutionary Guards Corps Quds Force commander Qasem Soleimani in a U.S. strike in Baghdad on January 2, many suspect that cyberwarfare may be at least one likely Iranian attack vector.


Iran’s Supreme Leader Ayatollah Ali Khamenei warned that “harsh retaliation is waiting” for the U.S. after the assassination of General Soleimani. The daughter of slain Iranian Gen. Qassem Soleimani, Zeinab, warned the families of U.S. soldiers deployed in the Middle East that they “will spend their days waiting for the death of their children” during her father’s funeral.

The US Department of Homeland Security (DHS) stated, “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”

Iranian Hacker Groups

Like other technologically advanced countries, Iran has its own cadre of Advanced Persistent Threat Groups. APT hacking groups are organized hackers that are often state-sponsored cyberwarfare organizations. APT groups are assigned numbers to keep track of their progress and techniques. They are responsible for some of the most successful cyber attacks in the world. APT groups are also given names by private cyber security researchers to avoid offending sponsoring governments. The US government-backed APT group is known as Equation Group. APT groups are skilled and work with low-and-slow strategies to steal large volumes of data over long periods of time – often years of work.

Advanced Persistent Threat Group APT33

APT33 is an Iranian backed hacker group that uses wiper malware to destroy data. The group targets aerospace, defense, and petrochemical industries. APT33 is also known as Elfin, Magnallium, or Refined Kitten (by Crowdstrike), Magnallium (by Dragos), and Holmium (by Microsoft).

Advanced Persistent Threat Group APT34

APT34 is an Iranian state-sponsored cyber espionage operation active since about 2014. APT34 focuses on data collection and cyberattacks targets focusing on the financial sector, energy, utilities, oil and gas industries, as well as government entities.


IRIDIUM is an Iranian state-sponsored black hat hacking group. These hackers attack political targets in Five Eyes countries: United States, United Kingdom, Australia, Canada, and New Zealand. In 2019, IRIDIUM attacked the Australian government in retaliation for Australia considering removing its support for Iran due to Australia’s ties to Israel. In 2017, IRIDIUM attacked members of the British Parliament.

Advanced Persistent Threat Group APT35

APT35, also known as the Newscaster Team, is an Iranian state-sponsored APT group. They steal strategic intelligence on targets in the U.S. and the Middle Eastern. Targets include military, diplomats, government personnel, and media organizations. Industries targeted include the energy sector, and defense industries, engineering companies, business services and telecommunications sectors.

What Was the Cyber Attack on Iran?

An American-Israeli cyberattack on Iran used a malicious worm known as Stuxnet to shut down Iran nuclear program in 2009. Stuxnet reportedly destroyed almost twenty-percent of Iran’s nuclear centrifuges.

Citrix Data Breach – March 2019

State-sponsored hacker group IRIDIUM stole documents from over 400,000 organizations from file virtual desktop service Citrix. The documents included most Fortune 500 companies. The Iranian hackers focused on aerospace industry data and stole documents belonging on the FBI, NASA, and Saudi Arabia’s state-owned oil company. Citrix Systems handles sensitive computer projects for White House communications, the U.S. military, the FBI, as well as thousands of private companies.

MS Outlook Iran Cyberattack – June 2019

United States Cyber Command, USCYBERCOM, based in Fort Meade, Maryland warned of a new cyberattack from Iran state-sponsored hacking group APT33. The hack took exploited a known Microsoft Outlook vulnerability, CVE-2017-11774. The allows hackers to bypass Outlook security features and execute malware on infected machines.

CISA Warns of Increased Iranian Cyberattacks – June 2019

U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of an increase in phishing emails sent to US targets. Iranian hackers attempted to infiltrate corporate networks and computers with wiper tools that destroy data. Wiper tools are more destructive than ransomware, spyware or other less harmful malware because they destroy everything with no chance of recovery. The phishing emails were attributed to Iranian-backed APT33, also known as Magnallium or Refined Kitten.

Iran Drone Strike – June 2019

In June 2019, Iran shot down a U.S. drone over the Iranian coast. The U.S. Pentagon confirmed the downing of the drone but stated that the incident occurred over the Strait of Hormuz, which is international waters.

Iran Oil Tanker Attack – June 2019

On 13 June 2019, two oil tankers were attacked near the Strait of Hormuz while they transited the Gulf of Oman. The U.S. blamed Iran for the attacks, which is believed to have been used mines. Iran denied involvement in the oil tanker attacks.

U.S. Cyber Command carried out a retaliatory cyberattack that disabled Revolutionary Guard systems that control rocket and missile launches for Iran. The cyberattack was in retaliation for the drone attack as well as for recent attacks on oil tankers in the area.

LinkedIn Iran Cyberattack – July 2019

Iranian state-sponsored hacking group APT34 launched a phishing campaign on social networking site LinkedIn. Targets received an invitation to connect from various fake profiles that supposedly worked at Cambridge University. If targets were tricked into accepting the connection and clicking on a link to download files, their device was infected with three malware files.

Hacker LInkedIn Connection Malware
Hacker LInkedIn Connection Malware

Malicious Site Targets U.S. Veterans – September 2019

A website is targeted U.S. Veterans who are looking for work. The scam website was attributed to Iranian hacking group, Tortoiseshell. If the reader accepted a file download their computer or laptop was infected with malware.

FDLP Website Hack- 04 January 2020

The website homepage of the U.S. Federal Depository Library Program (FDLP) was defaced with anti-U.S. President Trump messaging on 4 January 2020. Although the message included at the bottom of the webpage that replaced the home page of the Federal website claimed it was the work of Iranian hackers, the identity of the hackers has not been confirmed. The FDLP website is a very low-level and mostly symbolic target to attack. The Federal Depository Library Program provides the public with free public access to Federal Government information that includes bills, statutes, court opinions, and other government information.

Saudi Aramco Cyberattack

In what is believed to be one of Iran’s first major cyber attacks, hackers knocked out more than 30,000 computers belonging to the Saudi state oil company, Saudi Aramco, in 2012. The cyberattack prevented Aramco from exporting its crude oil and was one of the costliest hacks ever at the time. The Saudi Aramco cyberattack used wiper malware known as Shamoon that targeted the administrative computers of the company but not the industrial control systems used in oil production machinery.

Which Country Has the Best Hackers in The World?

Iran isn’t the most powerful cyber threat, but it shouldn’t be underestimated. Iran is considered an emerging military power in the arena of cyberwarfare. The country has been both an aggressor and a victim. Iran’s Cyber Defense Command has been operating since November 2010 as part of the country’s Passive Civil Defense Organization. which is a subdivision of the Joint Staff of Iranian Armed Forces. Iran lacks the overall cyber capabilities of Russia, China, or the U.S., but its hackers can still do damage.

Iran Population 2019

Iran has an estimated population of about 82.91 million in 2019, which ranks 19th in the world.

Are You Vulnerable to Hackers?

Hardware and apps connected to the internet, including smart TVs, phones, laptops, tablets, and routers are inherently hackable and nothing is 100 percent safe.
The U.S. National Terrorism Advisory System issued a warning and steps to take to secure your data.

  • Use secure passwords. The passwords must be unique and hard-to-guess for each online account. Use a password vault to generate strong passwords and store them securely
  • Save copies of information as local files on your laptop or phone storage – not cloud storage to prepare for a loss of internet connectivity
  • Store phone numbers as a local text file on a removable drive or even print them on paper
  • Don’t rely on internet connectivity or IoT devices
  • Beware of suspicious emails especially those with attachments or links to websites or files
  • Use biometric of multi-factor authentication for all login credentials
  • Stay Informed – Subscribe to Our newsletter and DHS Bulletins