The most recent military portion or the United States’ on-going confrontation with Iran appears to be completed, but chatter is being detected among Iran’s supporters indicating anger over recent events, but none indicate an immediate threat.
However, that does not mean
government agencies, companies and others who may find themselves in Iran’s
crosshairs should be complacent.
“A country on the other side
of the globe could potentially inflict damage on a critical service in the U.S.
(i.e. water, power, banking) at a fraction of the cost of a transatlantic
ballistic missile. This is why many experts predict that the next major attack
on U.S. soil will be cyber in nature,” said Phil Menard, assistant professor at
The University of Texas at San Antonio.
That being said cybersecurity
analysts do not believe a direct Iranian-cyberattack is imminent, but it is not
clear exactly how or when Iranian proxies and closely aligned APT groups will
react to the killing of Iranian General Qasem Soleimani last week. A few defacements
of government websites have been supposedly conducted in response to the
attacks, but Jerome Segura, Malwarebyte’s director of threat
intelligence, believes these were the actions of small-time groups.
“So far I think the media has
jumped the gun by looking at site defacements and concluding that those are
Iran’s response. Those are more likely sympathizers using basic tools not
requiring any advanced skills. I would think that in the immediate future, attacks
(on both sides) will be in the physical field with actual rockets,” he told SC
Allison Wikoff, senior
researcher, Secureworks counter threat unit, agreed saying so far what has been
observed being said on some dark web sites is not coming from the Iranian
“Secureworks has observed
emotional responses regarding Soleimani’s killing on some Iranian
channels. Cyber activity sourced from
these forums is likely to be the work of individual, patriotic hackers versus
government-directed operations,” she said.
What the ceasefire on the
military front has not stopped are campaigns and efforts previously launched by
Iran, said Sherrod DeGrippo, senior director of threat research and detection
at Proofpoint. The groups behind these attacks are most likely simply following
through on plans made months ago before tensions between the U.S. and Iran
“We are seeing Iranian
state-sponsored groups continue campaigns that were started in early December
2019. These attacks use targeted, malicious emails to steal user credentials
and establish a foothold within organizations,” DeGrippo said.
None of the researchers queried
believed Iran itself would tip off any upcoming cyberattacks on the dark web,
but so far there has not been any discussion from bystanders indicating a
cyberattack had been launched by any of the parties involved.
“It is, however, plausible
that they are in the preparation phase and will be considering new strategic
targets and/or how to use any existing footholds they maintain in networks of
interest,” Wikoff said.
DeGrippo noted that the
attacks currently underway are using methods typical for Iran and Iranian
backed groups being centered on targeted, malicious emails to steal user
credentials and establish a foothold within organizations.
Segura believes these same
tactics likely will be used down the road when targets are hit with phishing
attacks or watering hole attacks.
and its proxy groups have been blamed for numerous attacks even before Soleimani was killed. This means downplaying any
potential threat is a mistake and even organizations that feel well prepared
should take extra precautions.
One step is to reduce the
attack surface, complete back-to-basics security program updates and make sure
employees are trained to identify possible threats. Make sure patches are put
in place as known vulnerabilities are a favorite entry point for an attacking
“Watch what’s coming in and
out of the network, and watch what employees are clicking on, opening, and
distributing with the company. The smaller the surface, the harder it is for
attackers to do anything,” said DeGrippo.