US DHS Warns Iranian Cyberattack Could Damage Critical Infrastructure

Iranian Cyberattack Critical Infrastructure

US Conflict Sparks Iranian Cyberattack Concerns – Department of Homeland Security Asks for Vigilance with Cyber Security

U.S. Department of Homeland Security (DHS) warned the public about the potential damage that Iranian cyberattacks could cause U.S. businesses and individuals. On the heels of the assignation of Iranian commander Qasem Soleimani and the threat of ‘forceful revenge,’ defense and intelligence officials are bracing for a volley of Iranian cyberattacks. The cyberwarfare could be devastating. Incapacitation or destruction of critical infrastructure would have a debilitating effect on security, national economic security, national public health, manufacturing, or safety.

DHS issued a National Terrorism Advisory System (NTAS) Bulletin renewing concerns for Iran cyberattacks capabilities. Current political tensions may involve a new warfront – cyberwarfare – that has little precedent or rules. The bulletin states that “Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.” But the bulletin goes on to assure that, “At this time there is no specific, credible threat against the homeland.”

Businesses are bracing for a potential onslaught of cyberattacks that Iran may launch as revenge after a U.S. airstrike killed Iran Revolutionary Guards Corps Quds Force commander Qasem Soleimani in Baghdad. The potential uptick in network-enabled spying and damaging cyber attacks will most likely focus on critical infrastructure especially government systems.


Previous Iran Cyber Attacks

Iran has launched successful cyber attacks against the United States. Their first attempts in included rookie distributed-denial-of-service (DDoS) cyber attacks and basic webpage defacements in 2009. A website defacement is what happened on 04 January when the U.S. Federal Depository Library Program (FDLP) was hacked and defaced with anti-U.S. President Trump messaging. The incident is a nuisance but not especially damaging.

In 2012, hackers targeted and manipulated search query commands on the Navy Marine Corps Intranet. In 2013, an Iranian hacker breached the control system of a dam in Rye, New York. In 2015, Iranian hackers deployed wiper malware in a cyber attack on 35,000 office computers owned by Saudi Aramco. This still shows some lack of higher skilled as compared to Chinese, Russian, and US Hackers who can attack the control systems.

Ahead of the 2015 Iran nuclear deal, increased Iranian cyber attacks targeted U.S. financial organizations. The Las Vegas Sands casino in Las Vegas was wiped clean resulting in $40 million in damage. In 2017, Iranian state-sponsored hacking group APT33 attacked aerospace and petrochemical targets across the United States, Saudi Arabia, and South Korea. APT33 set up malicious domain names to send phishing emails impersonating Boeing, Northrop Grumman, and various joint security contractor contacts.

What are the Critical Infrastructure Sectors?

Presidential Policy Directive 21 (PPD-21) identifies sixteen critical infrastructure sectors whose assets, systems, and networks are considered vital to the United States. They are listed on the DHS website. Their incapacitation or destruction would have a debilitating effect on national security, economic security, public health or safety, or any combination of the aforementioned areas.

    Presidential Policy Directive 21 Critical Infrastructure Sectors:

  • Chemical Sector
  • Commercial Facilities Sector
  • Communications Sector
  • Critical Manufacturing
  • Dams
  • Defense Industrial Base Sector
  • Emergency Services
  • Energy Sector
  • Financial Services
  • Food and Agriculture
  • Government Facilities
  • Healthcare and Public Health Sector
  • Information Technology (IT) Sector
  • Nuclear Reactors, Materials, and Waste
  • Transportation Systems
  • Water and Wastewater Systems

Signs of an Advanced Persistent Threat Group Cyber Attack

  • Excessive Login Attempts – Excessive login attempts, either successful or unsuccessful, may be a sign that an empty group is lurking brute force login attacks our common way to hack into corporate credentials login attempts at odd hours of the night even if they are using a low and slow strategy should raise suspicions
  • Increased Malware Detection – An increase in the number of malwares detected by intrusion software may be a sign that an APT group is trying to infiltrate an IT network. Hacking may attempt to infiltrate the same system in an attempt to hack the system
  • Increased Usage of Network Resources – Increased use of network resources including bandwidth may be a sign that malware is sending large packets of data to the hackers

To defend against APT hacking groups, organizations should practice data breach and emergency response simulations. System administrators need to have increased vigilance especially during periods of political tension and ensure that their IT security systems are patched and kept up-to-date. All employees including non-technical employees should be trained in cyber security awareness and best practices. Phishing email detection and response needs to be highlighted cyber security awareness training.

What Is A Cyber Attack?

A cyberattack is any type of malicious action that targets and attempts to disrupt or damage computer systems, network infrastructures, software, apps, computer networks, or personal devices. Cyberattacks may steal information from, alter, destroy, or erase vulnerable systems, devices, or programming.

What Was the Cyber Attack on Iran?

Stuxnet is a family of malicious computer worms first seen in 2010 but suspected of having been in development since 2005. Stuxnet attacks Supervisory Control and Data Acquisition (SCADA) systems which are computer control systems for industrial plants, manufacturing facilities, and power plants. Stuxnet was used in an American-Israeli cyber attack to damage the Iranian nuclear program. It damaged about one fifth of Iran’s nuclear centrifuges.

What is Cyber Warfare?

Cyber warfare is an attack using the internet to damage, disable, or erase equipment or data on computers, servers, information networks, routers, smartphones, tablets or other internet connected devices. Cyberwarfare is carried out by a nation-state or other organization through phishing campaigns, malware attacks, computer viruses, or denial-of-service attacks.

For all computer and smartphone users, strong passwords, and anti-virus software and two-factor authentication (2FA) are a must.

What Are the Types of Cyber Attacks?

  • Denial-of-service (DoS) and Distributed denial-of-service (DDoS) Attack – A denial-of-service (DoS) is any type of attack where the attackers (hackers) attempt to prevent legitimate users from accessing the service. In a DoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses
  • Man-in-the-middle (MITM) Cyber Attack – In a Man-in-the-middle attack, the hacker covertly intercepts, relays and alters communications between two parties who believe they are directly communicating directly with each other. Using a VPN will shut down many of the places where a MITM attack might happen, but not all of them
  • Phishing Email Attack – A phishing attack is when a hacker sends malicious emails to hundreds or thousands of people to try and trick them into taking action that causes financial loss, steals information, or device damage. Phishing emails frequently steal login credentials and money. Emails tend to scare people into an action like resetting a password or sending money
  • Spear Phishing Attack – Spear phishing attacks are the same at phishing email attacks except they are targeted at one person or a very small group of people. The hacker already knows something about the recipients and is able to tailor the messaging to be more personal and effective
  • Cyber Espionage – Cyber espionage is a cyber attack used by skilled Advanced Persistent Threat (APT) Groups to spy on a political organization or corporation. APT groups infect target’s machines or entire networks with computer worms to gather intelligence about an organization over long periods of time
  • Spyware Cyber Attack – Spyware attacks infect a computer with malicious programming that monitors and sends sensitive data back to the hacker. Some spyware is legitimate apps sold to parents to monitor their children’s whereabouts and activity on their phones. However, spyware is often used by hackers and scammers to send fraudulent messages and spread malware
  • Password Cyber Attack – A password attack is when a hacker uses a library of common words, names, and passwords to try and brute force their way into an online account. The best way to protect against a password attack is to use a strong password that is unique for each online account. If you cannot keep track of multiple passwords, use a password vault instead
  • SQL Injection Attack – In an SQL injection attack a hacker sends malicious SQL commands to an online database, often used by websites, to damage the database or steal information
  • Cross-site Scripting (XSS) Attack – In a cross-site scripting cyber attack injects malicious code into trusted websites. The hacker manipulates the vulnerable website, so a webpage sends malicious JavaScript to users. The script executes within the victim’s browser and compromises information on the user’s end.
  • Social Engineering – Social engineering is a seemingly benign form of a cyber attack where the hacker steals personal information like name, employer, hometown, and birthdate. Many spear phishing attacks begin with social engineering attacks.