27 June 2019

DHS: Conflict With Iran Could Spur 'Wiper' Attacks


Iran is increasing its malicious cyber activity against the U.S, which could manifest in "wiper" attacks that render computers unusable, a top U.S. cybersecurity official said on Sunday.

As a result, U.S. institutions should shore up their basic cybersecurity defenses, including using multifactor authentication, said Christopher C. Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Agency.

"Iranian regime actors and proxies are increasingly using destructive 'wiper' attacks, looking to do much more than just steal data and money," Krebs said. "These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing. What might start as an account compromise where you think you might just lose data can quickly become a situation where you've lost your whole network."

One of the most devastating wiper attacks occurred against the oil giant Saudi Aramco in 2012. The malware, called Shamoon, disabled tens of thousands of workstations. U.S. officials blamed Iran for the attack.


Krebs' warning comes as tension between the U.S. and Iran has risen, both in the cyber and physical realms. Last year, President Donald Trump nixed an Obama-era agreement with Iran intended to curb its development of nuclear weapons. He also reinstated sanctions.

Earlier this month, the U.S. accused Iran of planting magnetic mines that damaged commercial Japanese and Norwegian shipping vessels sailing in the Persian Gulf. Then on Thursday, Iran fired a surface-to-air missile that destroyed an unmanned U.S. Global Hawk surveillance drone flying near the Strait of Hormuz.

Iran claims the drone was in its territory, although the U.S says it flew over international waters. Iran says it held off firing on a U.S. P-8 surveillance plane, which it claimed also entered its airspace.

The White House says it prepared a kinetic response to Iran's downing of the drone. But President Donald Trump reportedly called off the strike after learning it could kill up to 150 people. Trump said the response wouldn't be proportionate.
Report: US Digital Strike

But on Saturday, Yahoo News reported that the U.S. Cyber Command launched a retaliatory digital strike on an Iranian spy group that aided with the mine attacks.

The Washington Post subsequently reported that the attacks disabled the command-and-control systems Iran uses to control rocket and missile launches. The strike was aimed at the Islamic Revolutionary Guard Corps, which is part of Iran's military and which the U.S. designates as being a foreign terrorist organization.




N1: it is likely that any U.S. cyber ops story sourced from officials in DC isn’t really about the good stuff—especially absent noticeable effects, and/or when okayed in one way or the other by officials, especially intelligence officials. Publicity burns capabilities.



N2: big ships are hackable swimming networks—many connected devices, very bored users, little open pen-testing, likely change-averse admins, likely bad patching, likely bad air-gapping on the water, even navigation and other control systems likely hooked up to legacy boxes.

Yahoo News reports that Iran is also capable of interfering with GPS navigation systems in drones and possibly ships. In 2011, Iran said it captured an RQ-170 Sentinel drone, which looks like a giant, flying wing, after a cyber operation.

Thomas Rid, a professor of strategic studies at Johns Hopkins University, writes on Twitter that there could be more to the Yahoo News story related to potential U.S. ship hacking.

"Big ships are hackable swimming networks - many connected devices, very bored users, little open pen-testing, likely change-averse admins, likely bad patching, likely bad air-gapping on the water, even navigation and other control systems likely hooked up to legacy boxes," he writes.
Formidable Hacking Power

Cybersecurity companies and the U.S. government have warned for years that Iran is a capable offensive operator.

The U.S. National Counterintelligence and Security Center put Iran in a basket of three countries - including China and Russia - that it labels as being "the most capable and active cyber actors tied to economic espionage and the potential theft of U.S. trade secrets and proprietary information."

In February, the Justice Department announced the indictment of four Iranians along with a former U.S. Air Force counterintelligence agent. The former servicewoman, Monica Witt, defected to Iran in 2013 (see: US Air Force Veteran Charged in Iran Hacking Scheme).

Part of the FBI's wanted poster for Monica Witt, a former U.S. Air Force counterintelligence agent who is accused of aiding Iran with hacking

Witt is accused of aiding the Iranians in phishing campaigns by developing target packages, or batches of information that could be useful for social engineering victims. The campaigns sought to compromise the computers of U.S. intelligence agents.

Also on the Iran front, DHS issued an urgent warning in January over attacks that sought to modify domain name system records. Modifying those DNS records can allow for a range of attacks, including collecting account credentials and redirecting email traffic (see: DHS Issues More Urgent Warning on DNS Hijacking).

The computer security company FireEye wrote at the time that whoever was behind the DNS attack appeared to have a "nexus to Iran" based on older attack data. DHS gave government agencies 10 days to ensure their DNS settings were correct and that they'd enabled two-step verification on all accounts used to control DNS settings.

No comments: