Security Experts:

Iran May Respond With Cyberattacks to Killing of Qassem Soleimani

Iran May Respond With Cyberattacks to Killing of Qassem Soleimani

Iran’s response to the recent U.S. airstrike that killed Qassem Soleimani, a senior Iranian military commander, could include cyberattacks, and organizations should be prepared to prevent and respond to attacks, cybersecurity professionals have warned.

General Qassem Soleimani led the Quds Force, an elite unit of the Iranian Revolutionary Guards. He has been described as one of Iran's most skilled battlefield commanders, a heroic national figure, and one of the country’s most powerful men.

Soleimani was killed on Friday in Iraq, at the Baghdad International Airport, in an airstrike ordered by U.S. President Donald Trump. Washington said Soleimani had been planning an imminent attack on U.S. interests in the Middle East.

Tensions between the United States and Iran escalated following Soleimani’s death and Iran has vowed revenge. Experts say Iran’s response could include a military strike, disrupting oil supplies from the Middle East, attacks through allied rebel and militia groups, and even cyberattacks.

Cybersecurity companies that have monitored the activities of Iran-linked threat actors have often made public the indicators of compromise (IoC) associated with attacks launched by these groups, and they can be highly useful for detecting and mitigating threats.

Industry reactions to Iran's response to killing of Qassem Soleimani

Several industry professionals have also shared thoughts and insights with SecurityWeek on the actions Iran may take in cyberspace, and they have provided recommendations on how organizations can protect their systems.

Priscilla Moriuchi, Director of Strategic Threat Development, Recorded Future:

“We assess that the deaths of Suleimani and al Muhandis are likely to materialize in multiple scenarios; these could potentially include a pattern of retaliatory asymmetric measures executed by Iranian military assets and their allied militias against US and partner government and business interests regionally, in the Middle East.


Retaliatory measures could include the possible use of short-range ballistic missiles, cyber operations, bombings, and targeted assassinations. Although Iran possesses highly capable cyber operational forces, we believe the most likely targets of cyber attacks remain US and partner interests regionally.


The recent documented instances of Russian state-sponsored groups hijacking and utilizing Iranian infrastructure for cyber operations will also likely cause increased uncertainty and possibly confusion for victims. It is less clear today that operations utilizing known and tracked Iranian cyber infrastructure are actually being run and directed by the Iranian government.”

John Hultquist, Director of Intelligence Analysis, FireEye:

“Given the gravity of the operation last evening we are anticipating an elevated threat from Iranian cyberthreat actors. FireEye has launched a Community Protection Event to streamline coordination on this specific threat.


We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere. Prior to JCPOA, Iran carried out such attacks against the US financial sector as well as other businesses and probed other critical infrastructure. Since the agreement and despite the erosion of relations between Iran and the US, Iran has restrained similar activity to the Middle East. In light of these developments resolve to target the US private sector could supplant previous restraint.


Iran has leveraged wiper malware in destructive attacks on several occasions in recent years. Though, for the most part, these incidents did not affect the most sensitive industrial control systems, they did result in serious disruptions to operations. We are concerned that attempts by Iranian actors to gain access to industrial control system software providers could be leveraged to gain widespread access to critical infrastructure simultaneously. In the past, subverting the supply chain has been the means to prolific deployment of destructive malware by Russian and North Korean actors.”

Lee Foster, Senior Manager, Information Operations Analysis, FireEye Intelligence:

“Iran has readily embraced the use of online information operations to support its geopolitical objectives over the past few years, and has refined a vast array of tactics and sophisticated methods that it continues to hone and leverage today.


These tactics have included the creation of large networks of inauthentic “news” sites designed to amplify pro-Iran propaganda globally and discredit rivals, including the U.S.; the impersonation of influential individuals on social media including political candidates running for office in the U.S.; the creation of fabricated journalist personas designed to solicit interviews with political experts espousing views advantageous to Iranian interests; and the creation of networks of inauthentic social media accounts masquerading as real, politically-inclined individuals, including those based in the U.S., designed to propagate commentary critical of Iran’s political rivals.


We are already seeing Iranian disinformation efforts by these networks surrounding last night’s strike, and the U.S. should expect that Iranian influence efforts surrounding the U.S. will increase over the coming days or weeks as political developments evolve.


There are many similarities and some differences between Iran’s tactics in this space and those of Russia, which has received the majority of public attention regarding state-directed information operations. Iran’s efforts, in general, have been more geographically widespread than Russia’s, being directed at audiences in most parts of the globe. They have heavily pushed traditional state propaganda and criticized geopolitical rivals, however, it is often overlooked that, in a manner similar to Russia, Iran has also aggressively sought to use these tactics to directly influence the domestic politics of individual countries, including the U.S., and to take advantage of and amplify existing divisions between communities for its own ends.”

Chris Morales, head of security analytics, Vectra:

“Iran has identified cyber capabilities as part of their attack strategy a decade ago and have slowly been building up capabilities since they were hit with Stuxnet.


The longer answer is that we have been engaged in an ongoing cyber conflict with Iran for decades, as has many of our allies in the Middle East. In particular, Israel and Saudi Arabia. Cyber offensive actions have been ongoing and instigated by both sides through that time period.


Iran is not as sophisticated in its cyber capabilities as it primarily leverages black market malware as opposed to the customer built malware used by US and Israel cyber command. I do think Iran would prompt a cyber strike, but they also would measure that response with the threat they know they face from a US ongoing offensive.


The US is well aware of Iran’s cyber capabilities and I believe (hope) a cyber strike would have been taken in consideration with the latest attack.”

Roberto Sanchez, Director of Threat & Sharing Analysis, Anomali:

“It is reasonable to presume that threat actors which are tied to or aligned with Iran and anti-US Iraqi-based forces will engage in retaliatory cyber activities within the near future.


Private enterprises have added incentive to take preventative actions. Any that do business directly with the US Government, and especially with defense agencies, could be subjected to targeting by Iranian state-sponsored forces looking for gateways into the US’ military environment or to disrupt vital supply chains and transactions.


Another possible scenario involves cybercrime groups seizing on the opportunity to get victims to click on malicious links by disguising them with headlines that use key words and phrases like ‘Soleimani’ and ‘Iran launches cyberattack.’


Public and private industry should be taking steps to ensure that they can defend against such malicious phishing emails and gain access to threat intelligence that proactively detects and blocks suspected malicious activity.”

Hank Thomas, CEO, Strategic Cyber Ventures:

“There is no doubt Iran will retaliate. However, they will be looking for a way to appear both powerful and credible militarily at this pivotal point, without appearing to be a regional bully that traditionally relies on two-bit terrorist actions because they lack a robust advanced military response capability that could challenge the U.S. head on.


Showing off their offensive cyber capabilities, and the reach it provides them beyond the region, could very well be a part of their most likely course of action. A most dangerous course of action includes a combination of cyber and kinetic strikes both inside the region and beyond.


This does not mean Iran will end the use of proxies, both in cyberspace and on the ground. Nevertheless, they will be looking to leave their calling card with the main thrust of this initial response to our military action yesterday.”

Jamil Jaffer, Vice President for Strategy & Partnerships, IronNet Cybersecurity:

“The US strike that killed Qassem Sulemani is likely to generate some significant response from the Iranians and that response could very well come in the form of a major cyber attack.


In this heightened threat environment, companies in key critical infrastructure industries should be working together to identify potential threats and defend one another by sharing critical cyber threat information at scale and speed, to create a collective defense capability.”

Rick Holland, CISO, Vice President of Strategy, Digital Shadows:

“Iran's offensive cyber capabilities have grown significantly since the 2012 days of banking sector denial of service attacks and Saudi Aramco/Shamoon destructive malware. In 2019, both the US and UK governments released multiple public alerts regarding Iranian cybersecurity threats.

The cyberspace proxy war between the US and Iran isn't new and will escalate as a result of Soleimani's death. Iranian actors are known to use account take over techniques, spear phishing, and destructive wiper malware (e.g.: Shamoon). The good news for defenders is security controls like multi-factor authentication can mitigate against account takeover attempts. Email security controls like "defanging" email attachments by creating PDFs of them can mitigate malicious attachments in spear phishing emails. Up to date anti-malware protection can help reduce the risks of wiper malware. The benefit of these controls is that they protect against a multitude of threats, not just Iranian attackers.

Now would be a great time to validate your business continuity and disaster recovery plans as well. Can you restore your systems and data if needed? Wiper tabletop exercises help with extortion and ransomware planning as well. For most organizations, these controls should be sufficient. For companies with Iranian threat actors in their threat model, like Industrial Control System operators, heightened security monitoring is essential.”

Richard Henderson, Head of Global Threat Intelligence, Lastline:

“It is almost a foregone conclusion that we will now see retaliatory cyber attacks on US assets by Iran. The very nature of asymmetric warfare means that Iran has very little to lose by doing so: cyber warfare is now being treated as a force multiplier by smaller nations against much more powerful nations like the United States. The US will have to decide is additional escalation is justified if and when Iran decides to attack back in the fifth domain.


Iran has shown a demonstrated ability and propensity to go after heavy industry. Any organization with substantial ICS (industrial control systems) infrastructure should be on high alert now for potential attacks. Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure are all caught in the crosshairs as of this moment. At the same time, Iran may not target the ICS and SCADA systems directly: they may go after the more traditional IT infrastructure being used by these companies. In that case, it would behoove organizations to send out immediate alerts to all employees to be extra vigilant in the coming weeks and months.

[...]

On the defensive side, some organizations and government bodies are far more prepared than others to deal with the potential of a retaliatory cyber strike... but many are not. Iran has some very skilled and talented hackers, and they've made it clear many times in the past that they are not afraid to flex those muscles.”

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.