Iran cyberattacks against US biz more likely following air strikes – Source: go.theregister.com

The US Department of Homeland Security has warned American businesses to guard their networks against Iranian government-sponsored cyberattacks along with “low-level” digital intrusions by pro-Iran hacktivists.

In a Sunday terrorism advisory, the department warned of a “heightened threat environment in the United States” following the American airstrikes against Iranian nuclear facilities over the weekend. These threats include both physical and cyber attacks from Iran and “violent extremists in the Homeland,” according to DHS. 

The latter would likely increase “if Iranian leadership issued a religious ruling calling for retaliatory violence” against American targets, the security alert said.

“Both hacktivists and Iranian government-affiliated actors routinely target poorly secured US networks and Internet-connected devices for disruptive cyber attacks,” it noted.

While Tehran has the capacity to carry out destructive cyberattacks, its success and technical sophistication have thus far proven to be limited. 

In 2023, Iran’s CyberAv3ngers, which the feds have linked to the Islamic Revolutionary Guard Corps, broke into multiple US water systems using default passwords for internet-accessible programmable logic controllers. Later that year, in another round of attacks, the group used custom malware to remotely control US and Israel-based water and fuel management systems.

But despite gaining access to these critical systems, they didn’t do much other than posting bragging videos on their Telegram channels.

I expect the Iranian retaliation to come in the form of Iran launching destructive wiper and malware cyberattacks against US government websites, the financial services sector and critical infrastructure entities

“Iran has had mixed results with disruptive cyberattacks and they frequently fabricate and exaggerate their effects in an effort to boost their psychological impact.” John Hultquist, chief analyst at Google Threat Intelligence Group, said in an email to The Register. 

“We should be careful not to overestimate these incidents and inadvertently assist the actors,” he added. “The impacts may still be very serious for individual enterprises, which can prepare by taking many of the same steps they would to prevent ransomware.”

In fact, Iran’s government-backed crews have dabbled in ransomware in recent years, too. 

“From a strictly cyber point of view, I expect the Iranian retaliation to come in the form of Iran launching destructive wiper and malware cyberattacks against US government websites, the financial services sector, and critical infrastructure entities, such as power and water treatment facilities,” James Turgal, a 22-year FBI veteran and VP of global cyber risk at Optiv, told The Register. 

“Another type of attack which has already been reported is DDoS [distributed denial of service] campaigns,” Turgal added. “The Iran-aligned hacking group 313 Team took credit for a DDoS attack on Truth Social within hours of US strikes on the three Iranian nuclear facilities.”

Turgal also anticipates disinformation and media attacks, including website defacement and deepfake propaganda videos along the lines of what we saw from Russian cyber operatives early on during that country’s Ukraine invasion.

There are indications that these types of incidents are already underway, as national security think tank Foundation for Defense of Democracies on Friday said it uncovered Iranian accounts posing as Israelis on Telegram and X, and posting demoralizing messages in Hebrew.  While this particular campaign targets the Israeli public, Turgal said Americans could be susceptible to similar psychological operations.

“Since a large number of Americans, approximately 62 percent, claim they get their news from social media platforms, such platforms will be bombarded with counter-narrative campaigns, misinformation and disinformation about the extent of the damage caused by the US strikes and other anti-American sentiment,” Turgal said.

Meanwhile, the IRGC’s cyber groups have been abusing network flaws and creating fake social media personas for spying and credential and sensitive info stealing for years.

• Cyber weapons in the Israel-Iran conflict may hit the US
• Amazon CISO: Iranian hacking crews ‘on high alert’ since Israel attack
• Iran’s internet goes offline for hours amid claims of ‘enemy abuse’
• Google to Iran: Yes, we see you using Gemini for phishing and scripting. We’re onto you

“Iran already targets the US with cyberespionage which they use to directly and indirectly gather geopolitical insight and surveil persons of interest,” Hultquist said.

“Persons and individuals associated with Iran policy are frequently targeted through organizational and personal accounts and should be on the lookout for social engineering schemes,” he continued. “Individuals are also targeted indirectly by Iranian cyberespionage against telecoms, airlines, hospitality, and other organizations who have data that can be used to identify and track person.”

While the IRGC’s cyberspy arm is adept at spear phishing its way into US companies and federal government departments for espionage purposes, this Iranian military branch has previously conducted assassination attempts against Americans, including former National Security Advisor John Bolton. As such, physical violence against citizens also remains a risk.

“US law enforcement has disrupted multiple potentially lethal Iranian-backed plots in the United States since 2020,” according to DHS. “During this timeframe, the Iranian government has also unsuccessfully targeted critics of its regime who are based in the Homeland for lethal attack.” ®