interview The ceasefire between Iran and Israel may prevent the two countries from firing missiles at each other, but it won’t carry any weight in cyberspace, according to former NATO hacker Candan Bolukbas.
“In the cyber world, there’s no such thing as a ceasefire,” he told The Register.
If we see something in cyberspace that can disrupt us, we’re going to attack it first, and we have that under US Cyber Command’s mission
Bolukbas is chief technology officer and founder of Black Kite, a cyber-risk intelligence firm that assesses businesses’ third-party supplier risks. His company also shares and receives threat intel with and from the US National Security Agency (NSA), as do other private security firms.
Prior to founding Black Kite in 2016, Bolukbas worked for NATO as a part of its counter cyberterrorism task force, helping member and partner countries harden their network defenses by simulating offensive cyber attacks against government agencies.
His final mission with NATO involved red-teaming a critical power grid in Kiev, Ukraine. Most of the facilities’ systems were airgapped, isolated from external networks, which made it more difficult to break into.
“It wasn’t easy to target, so I said, ‘OK, let me find the suppliers for this organization’,” Bolukbas recalled. “I found 20 of them, picked one that would be the easiest to find and target, and used that to access the grid control panel, literally one command away from taking down the grid.”
Shortly after, in 2015, Russia’s Sandworm did shut off part of Ukraine’s electricity grid, resulting in power outages for tens of thousands of Ukraine residents for a number of hours.
Ten years later, Bolukbas says he’s worried about one of Iran’s cyber-arms doing something similar to Israeli or American critical infrastructure in retaliation for the air strikes earlier this month.
My belief is that they’re going to go after the supply chain, because that’s our weak spot
“My belief is that they’re going to go after the supply chain, because that’s our weak spot,” Bolukbas said, adding that while it’s really difficult to breach the Pentagon’s networks directly, Iran is “going to go after the supply chains of Israel and US Department of Defense suppliers.”
He pointed to Russia compromising Western logistics firms and tech companies, including email providers, as a means of collecting valuable intel about Ukrainian targets and military strategy in that ongoing conflict. Russian cyberspies also breached internet-connected cameras at Ukrainian border crossings to track aid shipments, and targeted at least one provider of industrial control system (ICS) components for railway management, according to a joint government advisory issued last month.
Similarly, smart TVs and other home IoT devices can be easily compromised and used to build a botnet for distributed denial of service attacks, or a massive network of connected boxes to route traffic and launch cyberattacks against high-value targets.
“It’s very unlikely that they can launch a sophisticated attack against the NSA, Pentagon, or those kinds of bigger organizations,” Bolukbas said. “Those are outside of Iran’s reach unless Russia or China backs them,” which he believes is also highly unlikely.
Giving Iranian cyber operatives access to some critical American network after Russia and China did the dirty work of breaking in, or blowing a zero-day exploit to aid Iran, isn’t in either of these countries’ best interests, Bolukbas explained. It’s more likely that Moscow and Beijing would want to save this stealthy access and/or cyber weapons, and use them at a time that will benefit their geopolitical or military goals.
“Iran is alone in this game, but they can go after the low-hanging fruit,” Bolukbas said.
Remember Stuxnet?
While “we haven’t seen any ceasefire happening” in terms of Iranian cyber campaigns, especially when it comes to phishing for high-value individuals’ credentials and sensitive military info, “we also do this,” Bolukbas said, referring to the United States.
Case in point: Stuxnet, a malware deployed against Iran’s nuclear fuel centrifuges, was a joint American-Israeli op. “And that, of course, was during a ceasefire. We were not in a war with Iran,” Bolukbas said.
“The US has the biggest cyber army, strategic or talent-wise,” he added. “The NSA is known for having the biggest zero-day arsenal on the planet. We have a doctrine on something called defense forward that says if we see something in cyberspace that can disrupt us, we’re going to attack it first, and we have that under US Cyber Command’s mission.”
The NSA is known for having the biggest zero-day arsenal on the planet
And while Bolukbas doesn’t expect to see the US unleash any major cyber weapons against Iran at this point in the conflict, he suspects cyber espionage, influence operations, hack-and-leaks, and poking holes in Iran’s military and cyber infrastructure are all regular occurrences.
The US didn’t enter the Iran-Israel war with bombs, he contended. “That was started in cyberspace a long time ago.”
Bolukbas also has advice for network defenders to protect against Iranian cyber threats. “Be careful with phishing attacks,” he said. “That’s very common because Iran doesn’t have a lot of zero days, so they go heavy on social attacks. Be careful what you’re clicking on.”
Second: don’t believe everything you read or see, according to Bolukbas. Iran, along with Russia and China, are getting really good at using generative AI for fake news and social media posts that aim to manipulate public opinion.
“Last but not least: patch your systems, including IoT for end users and residential people,” Bolukbas said. “Patch your external-facing systems quickly, not a week or 10 days or a month later, because time is ticking from the day that the vulnerability is disclosed. Iranian groups are trying to develop an exploit. If they develop the exploit before the patch, they’re not going to hesitate to use that.” ®
Click Here For The Original Source.
