Security Experts:

Threat Posed by Iran to Industrial Systems After Killing of Top General

Threat posed by Iran to ICS after US killed Qassem Soleimani

Cybersecurity experts believe Iran will likely also respond with cyberattacks to the recent U.S. airstrike that killed senior Iranian military commander Qassem Soleimani, and while many doubt that Iran has the capability to cause significant damage if these attacks are aimed at critical infrastructure or industrial control systems (ICS), organizations have still been advised to prepare for the possibility of being targeted.

General Qassem Soleimani led the Quds Force, an elite unit of the Iranian Revolutionary Guards, and he was considered one of Iran’s most powerful men. He was killed last week in Iraq as a result of an airstrike launched by the United States, which Washington justified by claiming that Soleimani had been planning an imminent attack on U.S. interests in the Middle East.

Iran has responded to Soleimani’s killing by firing ballistic missiles at two Iraqi bases housing U.S. troop, but Tehran could take other actions as well, including in cyberspace.

Some hackers claiming to be from Iran defaced the website of a small U.S. government agency shortly after Soleimani’s death was announced, but the attack was not sophisticated. The bigger concern is that Iran could launch attacks on critical infrastructure and organizations housing ICS, which could result in more significant damage.

Learn More About Threats to Industrial Systems at SecurityWeek’s 2020 ICS Cyber Security Conference

IBM recently disclosed the existence of an Iran-linked wiper malware that had been used in highly targeted attacks aimed at energy and industrial organizations in the Middle East.

Cybersecurity professionals have advised organizations in critical infrastructure sectors to take steps to secure their networks, but some experts doubt that Iran has the capability to cause significant or widespread damage.

Sergio Caltagirone, VP of Threat Intelligence, Dragos:

“Dragos has warned industrial asset owners and operators worldwide, particularly in the Middle East and North America, to monitor their environments carefully for threat behaviors and review response plans. Our biggest concern is that this conflict will lead to disruption or destruction of civilian critical infrastructure possibly affecting lives and livelihoods. It is not possible to know if, when, or where Iran, the US, or others may employ cyber effects as part of their operations, but as tensions rise the likelihood of a cyber attack increases.

 

If an attack were to occur the impacts would likely be limited and local. Industrial infrastructure worldwide is resilient but, also underprepared to defend itself. We need to do more, but fear less.

 

Actions for defenders right now: increase monitoring for malicious behaviors within their environments, review response plans, open lines of communication with their colleagues across their industry to share insights. But, most importantly recognize the growing threat and risk to industrial environments and make the right investments to better prepare for next time.”

Phil Neray, VP of Industrial Cybersecurity, CyberX:

"We've known for years that ICS/OT networks are soft targets for adversaries, with legacy unpatched systems and Swiss cheese connections to the internet and corporate IT networks. And recently we've seen Iranian threat groups conduct phishing attacks to gain access by compromising trusted suppliers such as ICS vendors. So now it's a question of how much disruption they can cause to gain the desired propaganda advantage, without incurring significant cyber or kinetic retaliation. So we're not talking about taking down the grid for an entire city, as the Russians did in Ukraine. But simply shutting off the power to a small regional or municipal utility for an hour or so -- preventing people from accessing their ATMs -- might be all that they're after."

Robert M. Lee, CEO and Founder, Dragos:

“The Iranian cyber threat is capable but has not shown the capabilities to date to be on the level of US, China, and Russia with certain types of attacks such as infrastructure attacks of the most damaging types; what we do know though is they have consistently been growing their capabilities and are aggressive and willing to be as destructive as they can be (denial of service on banks, gaining access to industrial control systems where they can, and wiping systems at companies they can access). We're unlikely to see widespread issues or scenarios such as disrupting electric power but it's entirely possible we will see opportunistic responses to whatever damage they think they can inflict.”

Suzanne Spaulding, adviser to Nozomi Networks and former DHS Under Secretary:

“Iran has already demonstrated intent and capability to attack inside the US as well as a high tolerance for escalating risk, specifically during the 2011 plot to assassinate the Saudi Ambassador to the US inside the US. Therefore current risk of escalatory action by Iran is particularly high, given that the “red lines” are not clearly defined in cyberspace and the Iranian government will be under intense internal pressure to take strong action.

 

In 2011-2012, Iran went after banks for implementing sanctions and we should now anticipate actions against the contractors involved in the development and deployment of drones. The US Government needs to lean very far forward in sharing with potential targets any info it has regarding Iranian capabilities, TTPs, and plans in a coordinated effort to minimise this risk and tighten up defences.

 

In the meantime, critical infrastructure organizations should be particularly vigilant in monitoring their operational systems for unusual activity in their industrial operation systems. At this stage, gaining OT visibility with the ability to detect issues and react quickly is paramount to national security.”

Adam Meyers, VP of Intelligence, CrowdStrike:

“CrowdStrike is closely monitoring the current escalating tensions in the Middle East in response to the killing of General Qassem Soleimani. While CrowdStrike is not reporting on a specific threat emanating from Iranian state-affiliated adversaries at this time, in line with previous assessments, CrowdStrike Intelligence believes that Iranian adversaries are likely to leverage a broad range of means, including cyber operations, against U.S. and allied interests.

 

Our current assessment is that organizations in the financial, defense, government, and oil and gas sectors are the most likely targets for retaliation activity. We are also monitoring for Distributed Denial of Service (DDoS) activity, as Iran has employed DDoS attacks in the past, as well as other tactics, such as ransomware activity.”

Dave Weinstein, CSO, Claroty:

"Our position is that owners and operators should remain vigilant given the recent events. Heightened threat activity against ICS/OT networks often correlates with geopolitical volatility and it's certainly plausible that Iran would retaliate against critical infrastructure. At the same time, I'd caution against alarmist reports that place high levels of confidence in a retaliatory cyber attack. From a technical perspective, companies should be sure to monitor their ICS connections, particularly as it relates to third-parties and other remote connections based on historical publications of Iranian TTPs."

Tim Mackey, Principal Security Strategist, Synopsys CyRC:

“Operators of critical infrastructure, manufacturing or food service or other industrial operations should always be aware of how shifts in geopolitical tensions might impact their operations. An accurate understanding of what software assets are deployed at the plant level, what external network access might exist, and what physical security surrounds access to any software asset will be key elements in constructing an accurate threat model for the installation. That threat model should then be reassessed as new threats emerge or increases in geopolitical tensions occur.

 

Unlike corporate offices or datacentres, ICS/OT/IIoT environments often can’t rely on local cybersecurity expertise in the event of a potential attack. As a result, operators should perform a risk assessment of their deployed software assets. This risk assessment would include an understanding of the current state of software development for the asset, whether it contains any latent software vulnerabilities, and how it is configured. Given ICS assets tend to have a long lifespan compared to its commercial cousins, latent risks like vulnerabilities can provide opportunities for attack should the software asset be deployed in an insecure manner – including one allowing for unaudited remote access.

Richard Henderson, Head of Global Threat Intelligence, Lastline

“Iran has shown a demonstrated ability and propensity to go after heavy industry. Any organization with substantial ICS (industrial control systems) infrastructure should be on high alert now for potential attacks. Heavy industry, oil and gas, electrical generation and the attached grid infrastructure, as well as other critical infrastructure are all caught in the crosshairs as of this moment. At the same time, Iran may not target the ICS and SCADA systems directly: they may go after the more traditional IT infrastructure being used by these companies.

[...]

Iran has some very skilled and talented hackers, and they've made it clear many times in the past that they are not afraid to flex those muscles.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.