Security Experts:

Leaked Files From Offensive Cyber Unit Show Iran's Interest in Targeting ICS

Classified files leaked from Iranian offensive cyber unit

Classified files apparently leaked from a cyber unit of the Iranian government show that Iran is looking to improve its offensive cyber capabilities, including for targeting industrial control systems (ICS).

British news outlet Sky News managed to obtain five internal reports — all marked “very confidential” — that seem to originate from the Islamic Revolutionary Guard Corps' (IRGC) Shahid Kaveh, a secret offensive cyber unit. Specifically, they are said to come from a sub-unit of Shahid Kaveh called Intelligence Team 13.

According to Sky News, the documents total nearly 60 pages and they appear to represent intelligence collection efforts for potential cyberattack targets.

One file, dated November 2020, focuses on building management systems and mentions Schneider Electric, Honeywell, Siemens and KMC Controls as companies that provide such solutions.

These types of products have been known to be affected by many vulnerabilities that could allow hackers to take complete control of a system. Attackers could trigger alarms, lock or unlock doors and gates, intercept video surveillance streams, control elevator access, manipulate lights and HVAC systems, and disrupt operations.

In response to Sky News’ reporting, industrial cybersecurity firm Radiflow noted that building management systems are easy targets due to the fact that they are often exposed to the internet, and they are in many cases not properly secured.

“Many of these second-tier targets seem irrelevant at first,” said Ilan Barda, founder and CEO of Radiflow. “What makes them so valuable is their potential to be used as a gateway to building systems. Once inside, a hacker can manipulate air circulation units, elevators, and any other critical infrastructure to carry out physical attacks.”

Learn more about threats to industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Another leaked report obtained by Sky News, dated April 2020, mentioned programmable logic controllers (PLCs) made by Germany-based WAGO. While these types of WAGO devices have been known to contain critical vulnerabilities, the authors of the report have apparently not found a way to exploit them.

The other reports, which are not dated, focus on maritime communications, fuel pumps and cargo ships. While the documents describe potentially devastating attacks against these systems — such as sinking a ship or blowing up a fuel pump at a gas station — the authors mainly relied on open source information and they did not appear to possess any advanced knowledge or capabilities.

Iran has been known to target industrial organizations. Its hackers are believed to be behind the destructive Shamoon attacks in the Middle East, and some threat groups are known to focus on ICS-related organizations.

Iranian hackers were blamed for several attacks launched on water facilities in Israel last year, and while authorities claimed that the incidents did not result in any damage, in at least one case the attackers seemed to know how to target industrial systems.

In late 2020, an Iranian group posted a video showing that they had managed to access an industrial system at a water facility in Israel, specifically a human-machine interface (HMI). However, these hackers did not appear to possess advanced capabilities or knowledge for targeting industrial systems.

In early 2020, after a U.S. airstrike had killed a senior Iranian military commander, organizations in the United States were warned that Iran could respond in cyberspace. However, many of the cybersecurity experts who spoke to SecurityWeek at the time said they did not believe Iran had the capability to cause significant damage if they were to target critical infrastructure or ICS. On the other hand, experts warn that the potential threat should not be ignored.

“Iran is looking to expand the outreach and objects of their cyber-attacks,” said Michael Langer, cyberwarfare expert and CPO of Radiflow. “Their history of disruptive cyber offensives on Saudi Arabian oil refineries and Israeli water management facilities are to be taken seriously. The Iranians mapping of BMS vulnerabilities may indicate a shift to target more easily exploitable sites. It’s time to think differently.”

Related: U.S. Government Attributes ICS Attacks to Russia, China, Iran

Related: Cyberattacks Possibly Involved in Explosions at Iranian Nuclear, Military Facilities

Related: WAGO Controller Flaws Can Allow Hackers to Disrupt Industrial Processes

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.