*This blog has been updated as of Jan 9, 2020.
Welcome to 2020. Have a good holiday? Back to work already? Good. Let’s get to it.
The world is currently dealing with the fallout from a U.S. drone strike that killed Islamic Revolutionary Guard Corps Major General Qasem Soleimani. The intention of this blog is not to go into any political, moral, or legal arguments. Rather than focus on the potentials of physical conflicts that may result from this, as cybersecurity experts, Digital Shadows will be focusing on the cyber-related fallout from the situation, and ways that they may or may not impact our clients. We will continue to update this blog as related events unfold, so be sure to check back.
ICYMI – CISO Rick Holland also produced a blog on this topic, offering some practical, measured suggestions on how you should respond in both the short term and critically in the long run:
Iran-Soleimani: What happened?
In the early hours of Friday, January 3rd, 2020 (or late hours of Thursday, January 2nd depending on your time zone), the United States conducted a drone strike near Baghdad International Airport in Iraq, killing Iran’s Major General Qasem Soleimani. Soleimani was the commander of the Quds Force, one of the country’s most elite military forces, and a very prominent figure within the Islamic Republic. Since then, regime supporters in Iran have mourned Soleimani’s death, occurring at a time of already heightened tensions between the U.S. and Iran.
The strike was an escalation of activity in the region between the U.S. and Iran, after an American defense contractor was killed on December 27th, 2019, followed by retaliatory strikes by the U.S. against Kata’ib Hezbollah, an Iraqi Shia paramilitary group. These strikes led to large-scale protests outside the U.S. embassy in Baghdad, as protestors attempted to scale the walls of the compound and overrun security forces.
What was Iran’s response to General Soleimani’s killing?
Following the Major General’s death, Iran’s Supreme Leader Ayatollah Ali Khamenei delivered statements via television broadcast and other media sources including social media, vowing revenge for Soleimani’s killing. Within the Ayatollah’s statement about General Soleimani, the supreme leader said there would be “severe revenge” for those responsible.
Heated rhetoric has flowed back and forth between Iran and the United States, posturing on both sides of the world. Protestors have flooded the streets to mourn Soleimani’s death, following the transportation of his body, culminating in his funeral on Tuesday January 6th in Tehran. Tuesday was also the end of the three days or mourning issued by the Ayatollah following Friday’s airstrike.
Update Jan 9: On Wednesday, January 8th, following the mourning period issued by the Ayatollah, Iran launched several surface-to-surface missiles at Iraqi military bases in the Ain al-Asad and Erbil regions, which house U.S. military personnel. Though the strikes resulted in no casualties, Ayatollah Khamenei described the attack as a “slap in the face” to the United States, but appeared to welcome a decrease in the hostilities mounting between the two countries. United States President Donald Trump echoed that sentiment in a statement he made later that day, instead stating the United States would be issuing economic sanctions against Iran.
Have there been Iranian cyberattacks against the United States?
On January 9th, several media outlets began reporting on “DUSTMAN”, a destructive malware variant attributed to Iran, which was determined to be responsible for an attack against the Bahrain Petroleum Company (Bapco). This attack took place on December 29th, eight days before the Soleimani airstrike, and reportedly did not have lasting effects and has no reported links to the ongoing situation in Iran. We chose to highlight this in an update to let readers know that we agree with this assessment, and also to remind watchers of the situation that digital forensics and incident response report take time to accurately investigate and produce, so immediate evidence of Iranian cyber-retaliation may take an extended period of time to be released to the public.
Since Tuesday, January 7th, we’ve observed low-level activity coming from Iranian supporters and hacktivists, including website defacements and Twitter storms.
Twitter activity: #HardRevenge
The HardRevenge hashtag began flooding social media site Twitter following the Ayatollah’s initial statement to the nation. While researchers were attempting to determine the origin of the hashtag to analyze its’ potential use by Iranian-state threat actors to spread propaganda and possibly disinformation, the answer could be found in the Arabic-language account for the Supreme Leader.
The hashtagged phrase included in this tweet translates directly to English as “Cruel Revenge”, or “Severe Revenge” according to Khamenei’s English-language account. And translated across the different languages which are spoken within that region of the world, like Urdu or Farsi, the use of “Hard Revenge” becomes clearer.
Across these various languages, the hashtag has been used at least 42,000 times within the last four days. Hacktivist operations tend to pick up on these types of hashtags, adopting them to rally around and use for coordination efforts. This leads me to…
We’ve detected several instances of website defacements, outside of the Federal Depository Library Program (FDLP), fdlp[.]gov, some of which using various translations of “#HardRevenge.”
Shield Iran is a hacktivism group which has not been active since 2016, according to their Zone-H history. Zone-H is a website where threat actors can log their defacements, keeping track of their attacks over time. I’ve been able to confirm multiple sites defaced with this poster, all using the Persian-translated version of “Hard Revenge”. So far, the following defacements have been confirmed by Digital Shadows:
- Texas Department of Agriculture – texasagriculture.gov
- Texas Department of Agriculture Food and Nutrition – squaremeals.org
- Parikrma Humanity Foundation – parikrmahumanityfoundation.org
- South Alabama Veterans Council – savc.net
- BigWays Properties – bigways.co.uk
- Human Rights site – HRPA.org.in
- ShreeGen Pharmaceuticals – Shreegen.com
- Taiwan Lung Meng Technology – Taiwanlm.com
- Indian Education Institute – Vidhyanchal.com
- Sierra Leone Commercial Bank – slcb.com
- Panache Academy – panacheacademy.com
The threat actor “Mrb3hz4d” has claimed responsibility for hundreds of website defacements over the last couple of days, all of which I won’t list here. The user has apparently been active since 2018, and according to their Zone-H history they’ve been specifically defacing United States-based websites since January 3rd.
What is the United States doing to prevent Iranian cyberattacks?
Though specifics are light at this point, there have been two advisories distributed from the Department of Homeland Security (DHS), as well as the Cybersecurity and Infrastructure Security Agency (CISA).
The DHS Bulletin (as opposed to an “Elevated” or “Imminent Alert”) detailed the state of affairs in the aftermath of the killing of Soleimani, largely focusing on physical safety. However, there were mentions of previous Iranian cyber activity:
“Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.”
“Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
I mention the fact that this is a DHS “Bulletin” as opposed to an “Alert” because they have very different meanings. A Bulletin “described current developments or general trends” and an alert “warns of a credible terrorism threat.” As of January 7th, the fact that no alerts had been issued indicated that there likely were not any major threats to cybersecurity infrastructure at this specific point in time.
CISA’s advisory included additional details related to prior Iranian threat activity, stating previous targets of “disruptive and destructive cyber operations” have included companies within the finance, energy, and telecommunications sectors, with specific focuses on industrial control systems and operational technology. Additionally, CISA warned of the potential for Intellectual property theft as well as disinformation campaigns promoting pro-Iranian sentiments.
How to Protect Your Organization
As both the U.S. and Iranian governments have seemingly decreased the heated rhetoric toward each other, ongoing kinetic or physical attacks are likely to subside in the immediate term. However, a decrease in physical attacks could signal an increase in cyber-related incidents. This may be further spurred by the economic sanctions that U.S. President Donald Trump has issued against Iran. We’ve expanded our recommended prevention and mitigation measures based on the US-CERT notice issued on Monday.
To combat the threat of website defacement, we recommend securing your Content Management System (CMS) platform first. The CMS used to configure your website, whether that’s WordPress, Joomla, Drupal, etc.,should be secured with non-default credentials and two-factor authentication if possible.
Notice how I haven’t mentioned any nation-state associated activity? As of now, there has yet to be any publicly reported. That’s not to say that plans aren’t being formulated, infrastructure isn’t being set up, and implants developed; we just haven’t seen anything yet in the public domain.
That being said, there are a few things that can help companies defend against the tactics, techniques, and procedures that have been used previously by Iranian nation-state groups.
- Disable Windows scripting systems where appropriate to help defend against malicious spear phishing that might find its way into your network
- Disable unnecessary ports and protocols and review control logs for those services which are intended to be available
- Enhance monitoring of network and email traffic
- Patch internet-facing infrastructure which is vulnerable to publicly available exploits, raising the bar of entry for attackers
- Limit admin credentials to only specific users to reduce the effectiveness of Mimikatz within a network
- Ensure system and network configuration backups are up-to-date and ready to be deployed in case of emergency
For more info, Rick Holland and I sat down to discuss on our latest episode of ShadowTalk. Catch the latest on your favorite podcast player or below:
For a full rundown and mapping of past Iranian nation-state activity to the Australian Signals Directorate Essential 8 framework, check out Richard Gold’s blog, Tradecraft styles of Iranian APT groups: using Mitre ATT&CK™ and the ASD Essential 8.