The United States Cybersecurity and Infrastructure Security Agency (CISA) has reiterated and extended previous warnings over the activities of Iranian threat actors targeting Western interests, following attacks on the Middle Eastern state’s alleged nuclear weapons programme conducted by Israel and the US.
The US strikes on 22 June prompted a swift alert from the Department of Homeland Security’s (DHS’) National Terrorism Advisory System (NTAS) warning of an uptick in “low-level” attacks from hacktivists and more damaging intrusions from threat actors backed by Tehran.
In a new update, CISA said that defence industrial base companies – especially those possessing holdings or relationships with counterparts in Israel – were at especially increased risk.
“At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the US that can be attributed to Iran,” the agency said in a statement.
“However, CISA urges owners and operators of critical infrastructure organisations and other potentially targeted entities to review this fact sheet to learn more about the Iranian state-backed cyber threat and actionable mitigations to harden cyber defences.”
In the alert, CISA advised that both Iranian and allied hackers are known to exploit opportunistic targets based on their use of unpatched or outdated software, or failure to change default passwords on internet-connected accounts or devices.
For critical national infrastructure (CNI) operators in particular, these threat actors have been observed using system engineering and diagnostic tools to target operational technology (OT) such as engineering devices, performance and security systems, and maintenance and monitoring systems.
CISA’s fact sheet also includes a number of mitigating steps that CNI operators can take at this time, much of it focused on identifying and disconnecting OT and industrial control system (ICS) assets from the internet, keeping such assets up to date, and maintaining appropriate monitoring and control policies – including enforcing password hygiene, role-based access controls, and phishing-resistant multifactor authentication (MFA).
CISA also said that for several months, Iran-aligned hacktivists have also been conducting website defacements and leaking sensitive information stolen from victims. The agency warned of the likelihood of more distributed-denial-of-service (DDoS) attacks, and even ransomware attacks run in collaboration with other groups.
Will Robert ‘hack-and-leak’?
CISA’s warnings came as a hacking operation backed by Iran’s Islamic Revolutionary Guard Corps (IRGC) – known as Robert – threatened to release compromising information on the administration of president Donald Trump in retaliation for the airstrikes.
The group, which previously leaked emails in the run up to last year’s presidential election in the US, claimed to have over 100GB of data to ‘share’. Speaking to the Reuters agency in the past few days, Robert claimed some of these emails were taken from the accounts of Trump advisor Roger Stone, White House chief of staff Susie Wiles, and Stormy Daniels, the adult entertainer at the centre of a hush-money scandal.
Max Lesser, senior analyst on emerging threats at the Foundation for Defense of Democracies’ (FDD’) Center on Cyber and Technology Innovation, said that it was wise to be cautious about the credibility of Robert’s claims.
He explained: “A common technique in state-sponsored data leaks is to sneak lies into troves of largely true information. The authenticity of the majority of the data makes the fabrications appear real. This information, when it comes out, must be verified before [it is] believed.”
Lesser said hack-and-leak ops were a popular tool for such state-linked actors because they enable states that lack a military advantage to be seen to retaliate without crossing a threshold that might lead to a kinetic response from the US.
“Considerable conversation about Iran’s retaliation in cyber space to US military strikes has focused on cyber attacks against companies and critical infrastructure. But cyber-enabled influence operations provide another plausible vector of attack. This was not the first hack-and-leak conducted by Iran against Trump, and likely not the last,” he added.
Lesser also warned that in disabling some of the US government’s capabilities around countering foreign influence operations it had enhanced the ability of groups like Robert to damage national and global security.
“The Trump administration … should consider revitalising counter malign influence efforts while ensuring these efforts safeguard free speech,” he said.
