MSSPs must prepare U.S. clients for a new onslaught of attacks from Iran.

Pam Baker

January 10, 2020

5 Min Read
US vs Iran

The world breathed a collective sigh of relief when the U.S. and Iran stepped back from the brink of war this week. But the threat didn’t subside; it merely changed the focus from expensive war machines to digital mayhem. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) raised the alarm on upcoming cyberthreats from Iran, aimed at wreaking real-world harm in the U.S. Now, American businesses are bracing for impact.

“With the escalation of tensions in the Middle East, many are asking how far-reaching the impacts could be for the U.S. private sector. While the impacts to the petroleum industry, defense contractors and service members supporting U.S. FOBs, and travel providers are very direct, we cannot forget about the real potential for state-sponsored cyberattacks on both international and domestic U.S. interests,” warned Warren Poschman, senior solutions architect at comforte AG.

Iran has a history of targeting non-military U.S. interests. CISA lists the following as among the list of previous attacks:

  • DDoS targeting the U.S. financial sector — primarily targeting the public-facing websites of U.S. banks wherein customers were blocked from their accounts and banks paid millions to remediate.

  • Attack on a New York State dam — tapping into the supervisory control and data acquisition (SCADA) systems of the Bowman Dam to access information on the status and operation of the dam.

  • Sands Las Vegas Corp. breach — wherein customer data – including credit card data, Social Security Numbers, and driver’s license numbers – was stolen.

  • Massive cybertheft campaign — comprised of dozens of separate incidents, including “many on behalf of the IRGC.” CISA reported that according to the indictment, the campaign targeted “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private-sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”


KnowBe4’s Rosa Smothers

“We know APTs 33 and 34 are associated with Iranian state sponsored hackers. Every company in the SCADA and ICS space should already be proactive in safeguarding against these (and other) APTs; if we’re doing our jobs right, then admins aren’t in a state of emergency right now over the potential of Iranian implants lying dormant on our networks,” said Rosa Smothers, senior VP of cyber operation at KnowBe4 and a highly decorated former CIA Technical Intelligence Officer.

Even with such a diversified history of attacks, it’s relatively clear which organizations are most likely to be targeted now in the midst of current U.S.-Iran tensions.

“Some organizations face a greater threat than others. Financial services, energy, oil and gas, health care, infrastructure, and any business that contracts with the federal government is a more likely target,” said Paul Bischoff, privacy advocate with Comparitech.

Specific types of attacks are expected as well.


Comparitech’s Paul Bischoff

“Businesses will have to prepare for several types of threats such as malware, network disruptions (DDoS attacks), data theft and phishing. Because Iran is a nation-state actor, it has a broad range of tactics at its disposal as well as the resources to conduct large-scale cyberattacks,” said Bischoff.

MSSPs should also expect attacks from Iran to continue for the foreseeable future and beyond.

“Given that Iran already has a history of launching cyberattacks, it seems almost inevitable in today’s climate that we’ll see new threats. Cyberattacks are an extremely cost-effective form of asymmetrical warfare, with even small attacks getting lots of publicity and causing general anxiety and fear,” said Ray DeMeo, co-founder and COO at Virsec.

Businesses need to be extra diligent in their security practices to thwart such a continued onslaught of varied attacks. Here are suggestions from experts on …

… what actions MSSPs can take or recommend to their customers:

  • “Be extremely vigilant, upgrade aging security systems, and understand new hacking techniques that target applications during runtime and leave few clues behind,” said DeMeo.

  • “Use a data-centric security approach that ensures data is kept secure and private, especially since traditional security measures such as strong authentication, firewalls and data-at-rest encryption are unlikely to deter access or theft going forward,” advised Poschman.

  • Use defensive tactics which “include keeping software and firmware up to date, using firewalls and antivirus, encrypting data, access control with least privilege, using strong and unique passwords, intrusion detection, and educating all staff on how to detect phishing messages as well as a policy for dealing with them. High-risk organizations might want to hire white-hat hackers to test their systems for security holes and oversights. Businesses should also have a disaster recovery plan for when things go wrong,” said Bischoff.

  • “Keep in mind U.S. CERT’s ongoing bulletins regarding Iranian cybersecurity threats, which consistently warn industry as to their go-to access methods — phishing attacks and password spraying. Critical infrastructure must remain vigilant and utilize security solutions such as air gaping, deploying endpoint protections and training employees to spot and report social engineering and potential insider threats,” advised Smothers.

MSSPs should consider conducting detailed reviews of their clients’ defensive postures given the expected upswing of nation-state attacks. CISA recommends a two-pronged defensive approach: vulnerability mitigation and incident preparation. Specifically, CISA recommends the following mitigations: Disable all unnecessary ports and protocols, enhance network and email monitoring, patch externally facing equipment, log and limit PowerShell usage, and ensure backups are up to date.

But keep in mind that other attackers are lurking in the hopes of exploiting U.S.-Iran tensions.

“We can also expect that non-Iranian attackers will use the emotional tensions around the situation to craft phishing attacks designed to install malware or steal credentials. This is often the case around emotionally charged situations such as this,” said Erich Kron, security awareness advocate at KnowBe4.

Read more about:


About the Author(s)

Pam Baker

A prolific writer and analyst, Pam Baker’s published work appears in many leading print and online publications including Security Boulevard, PCMag, Institutional Investor magazine, CIO, TechTarget, and InformationWeek, as well as many others. Her latest book is “Data Divination: Big Data Strategies.” She’s also a popular speaker at technology conferences as well as specialty conferences such as the Excellence in Journalism events and a medical research and healthcare event at the NY Academy of Sciences.

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like