Limited Targeting of U.S. Entities Following Death of Iranian General Soleimani
■ The Iranian government and multiple hacktivist groups across Iran vowed to retaliate against the U.S. after a January 3rd airstrike in Baghdad killed Major General Qassem Soleimani.
■ The websites of one U.S. government entity and several U.S. universities were targeted over the weekend with defacement campaigns attributed to various Iranian cyber crime groups. Online chatter from discussion forums suggests these groups will continue to target U.S.-based entities and American interests overseas.
■ Industry organizations and regulators, including CERT, CISA, DSAC and the New York Department of Financial Services, have recently issued alerts and/or warnings related to the heightened risk of Iranian cyber activities.
■ While no new Iranian cyber threats against critical infrastructure or major industries have been identified at this time by official U.S. sources, Aon recommends clients take proactive measures to heighten monitoring efforts, harden key security systems, and enhance cyber security control measures.
Overview
Aon’s Cyber Solutions observed an uptick in Iranian defacement campaigns targeting U.S. government and university websites following the death of Major General Qassem Soleimani on January 3, 2020. Targeted U.S. entities to date reportedly include the Federal Depository Library Program, the University of Washington, the University of Maryland Baltimore County, Harvard University’s Bulyk Lab and other minor websites, according to open sources.
The websites and subdomains of these organizations were defaced with pro-Iranian messages that claimed “Hacked by Iran Cyber Security Group.” U.S. officials did not immediately confirm if the campaigns were carried out by state-sponsored hackers.
A review of activities noted on various defacement archive sites credited Iranian cyber crime groups and hacktivists such as “Spad Security Group,” “Rmx Team,” “Bax 026 of Iran,” “Shield Iran,” “Liosion Team,” “Iranonymous Tm,” “Alfa Team” among others.
Since January 3, 2020, Aon observed the creation of multiple pro-Iranian pages on social media, underground discussion forums, and closed messenger services such as Telegram that call for retaliation. These channels have 100,000 to 200,000 followers and primarily post anti-U.S. propaganda that may be used to rally hacktivists to conduct additional cyber campaigns.
Iran’s Cyber Targeting
Iran maintains a robust cyber program that has reportedly leveraged asymmetric warfare capabilities and a cadre of hacktivists and hackers to attack financial institutions, casinos, critical infrastructure, and global oil and gas companies in the past.
■ 2012: DDoS attacks against U.S. banks, including Bank of America, Wells Fargo and JPMorgan Chase
■ 2012: Shamoon attack on Saudi Aramco
■ 2013: Hacking of control systems at a New York-based dam
■ 2014: Cyber attack on Sands Casino following anti-Iran comment by executive
Recommendations
Heightened geo-political tensions can create dynamic cyber risks depending on your business environment. Aon supports clients in diverse industries to help mitigate these threats and risks. At a minimum, we recommend prioritized focus on the following areas, which Aon’s Cyber Solutions can assist clients with immediately:
■ Redouble Efforts for Vulnerability Management Across All Critical Technologies and Platforms: Now is a good time to perform scanning, analysis and testing for vulnerabilities in the environment. Does the organization have a holistic approach to identifying, analyzing, remediating, and tracking weaknesses and “holes” across the environment?
■ Implement Threat Monitoring for the Organization: Monitor for security anomalies, suspicious or malicious behavior, and advanced persistent threats. Does the organization have a holistic approach to identifying, analyzing and addressing these threats on an ongoing basis?
■ Incident Response Planning is Key: Is the organization prepared for a cyber incident or breach, including the type of attacks that have been attributed to Iran over the past few years? Have key processes, accountability, roles, responsibilities, partners, and tools been evaluated, defined, tested, and updated? Does the organization have relationships with Incident Response and Digital Forensics providers? When was the last time a Tabletop or other “test” of current plans and processes was performed?
■ Execute a Prioritized and Accelerated Assessment of Key Controls: In consideration of historical Iranian-attributed cyber attacks, has the organization implemented appropriate preventative, detective and recovery controls? Is there sufficient ongoing testing, monitoring, and continuous improvement of these controls? This should include consideration of threats such as denial of service attacks, malware, phishing, account takeovers, and attacks on infrastructure and network vulnerabilities.
■ Ensure that Restricted Access Controls and Mechanisms are Optimized: Has the organization sufficiently restricted access to systems, networks, applications and data? Have Multifactor Authentication, Privileged Access Management, and other critical Identity and Access Management (IAM) controls been reviewed and validated recently?
■ Consider Critical Third Parties: The organization should inquire and evaluate what its most critical third parties, supply chain and business partners are doing in consideration of Iranian cyber threats.
■ Reinforce Security Awareness and Training: Revisit and enhance the measures that an organization has in place to continuously influence human behavior related to cyber security risks and threats. Do key personnel know “what to be on the lookout for,” and do they know “what to do” in the event of a suspected incident?