skout-blog

Cybersecurity Threat Advisory 003-20: Rise in Malicious Cyber Activity by Iranian Regime Actors and Proxies

Advisory Overview

There has been a rise in recent malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies, according to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs. Companies based in the U.S. and doing business in the U.S. should shore up their basic cyber defenses and act quickly if they suspect an incident has occurred.

Technical detail and additional information

What is the threat?

On January 2nd, 2020 the United States issued an airstrike in Baghdad Iraq in which Qassem Soleimani, the head of the Iranian Revolutionary Guard Corps-Quds Force, was killed. This attack has increased the potential threat of Iranian cyber enabled terrorism as Iranian leadership has publicly stated they intend to retaliate. An increase in activity from state sponsored attackers is expected in the wake of the airstrike and foreign threat.

On Saturday, the government-run American Federal Depository Library Program (FDLP) website was among dozens of websites defaced by groups claiming to be Iranian hackers. Security experts are warning these attacks may continue and escalate further.

Why is this noteworthy?

Acting Secretary of Homeland Security Chad F. Wolf issued a new National Terrorism Advisory Systems Bulletin on January 4th, 2020. Wolf stated, “The Department issued this bulletin to inform, share protective measures, and reassure the American public, state and local governments, and private sector partners that the Department of Homeland Security is actively monitoring and preparing for any specific, credible threat, should one arise”. While there currently is no information on any specific threat, US based companies should prepare for retaliation.

What is the exposure or risk?

Iran has the capability to carry out cyber enabled attacks that could cause substantial damage without the use of traditional military tactics. Previous statements from the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned of a rise in malicious cyber activity by the Iranian administration. The increased use of destructive malware attacks can be enabled through various tactics and are executed to delete data from critical systems. Once a system is compromised, it can lead to serious network control issues if not addressed immediately.

What are the recommendations?

Security and awareness training should be established by management to educate employees on the importance of staying vigilant when dealing with cybersecurity and its constant malicious threats.

Network and Hosting based monitoring. Monitor critical business operations to safeguard system infrastructure.

Extra Vigilance. Remind employees to be extra vigilant for phishing and to be cautious of suspicious emails.

Ensure backups are in place. The United States Computer Emergency Readiness team (US-CERT) recommends organizations employ a 3-2-1 backup strategy to increase the chances of recovering lost or corrupt data.

3 – Keep 3 copies of any important file: 1 primary and 2 backups.

2 – Keep the files on 2 different media types to protect against different types of hazards.

1 – Store 1 copy offsite (e.g., outside your home or business facility).

Further information can be found in the reference link below.  Reference: https://www.us-cert.gov/sites/default/files/publications/data_backup_options.pdf

Multi-factor Authentication. Employ multi-factor authentication where relevant.

Geo-blocking. Firewall geo-blocking and email filtering is recommended for any activity from places in which you do not do business.

Anti-Malware Solutions. SKOUT Endpoint Protection is an integrated threat prevention solution that utilizes our own streaming-data analytics platform. The solution combines the power of AI to block malware infections with additional security controls that safeguard against script-based, fileless, memory, and external device-based attacks and is backed by our Security Operations Center.

Reporting. If it appears that suspicious activity is in the works, use appropriate protocol to report and respond in a timely manner.

References:

For more in-depth information about the recommendations, please visit the following links:

 

If you have any questions, please contact our Security Operations Center.