Threat Intelligence Assessment Following U.S. Military Actions in Iraq

Threat Intelligence Assessment Following U.S. Military Actions in Iraq

Threat Intelligence Directorate
January 7, 2020

Potential Iranian Cyber Activity and Retaliation

Iran’s Supreme Leader Ayatollah Ali Khamenei vowed revenge against the United States following U.S. airstrikes on January 3, 2020 that killed Iranian Islamic Revolutionary Guard Corps Quds Force Commander, Qassim Soleimani.

R9B analysts assess that it is highly likely the Iranian response will include attacks aimed at destroying, disrupting, or damaging critical U.S. infrastructure and “soft targets,” including U.S. embassies and agencies.[1]

Potential cyber threats likely include:

  • Strategic targeting of critical infrastructure, including banks and energy sources, including power, water, and oil and gas;
  • Strategic targeting of U.S. and Western government entities abroad including U.S. embassies and U.S. military facilities on foreign soil;
  • Disinformation operations, including fake social media accounts created to promote pro-regime news stories;
  • Website defacement of Western (especially U.S.) government agencies;
  • DDoS attacks against Western infrastructure to interrupt popular websites or services.

Historically, Iranian cyber activity has included espionage efforts focused on collecting information that would benefit advancement of the Iranian regime or its military. Iran has also employed destructive wiper malware designed to erase targeted network information.

Though the tactics, techniques, and procedures (TTPs) differ by campaign, those commonly deployed by Iranian actors include spear phishing links, brute force attempts, use of compromised valid credentials, use of PowerShell, input capture, and data obfuscation.[2][3][4][5]

Other Actors and Support

While Iranian cyber capabilities are traditionally ranked below Russian and Chinese actors in both resources and capability, it is possible that either or both Russia and China could covertly support Iran in its retaliation. This support could include cyber infrastructure support or sharing of malware.

Opportunistic attackers may also take advantage of the opportunity to launch their own, otherwise unrelated, exploits due to the widespread anticipation of Iranian cyber exploit activity.

For example, recent exploits utilizing cyber infrastructure attributed by cybersecurity analysts to Iran have been subsequently attributed to Russian actors. While it remains unclear whether this represents explicit cooperation between Iran and Russia, or surreptitious use of Iranian infrastructure by Russian actors, the implications are the same. Any perceived increase in cyber threats originating from Iran are likely to carry with them an increased risk of concurrent Russian operations.

Notable Iranian Tactics, Techniques, and Procedures

Use of Commodity Malware

Over the past two years, R9B threat intelligence analysts, as well as others in the cybersecurity community, have tracked Iranian actors’ use of readily available remote administration tools (RATs) marketed on the dark web and surfacing on web hacker forums, rather than building custom exploits and tools.  These “commodity” RATs include Remcos, RevengeRAT, and others.

This technique offers several advantages. First, it is low cost compared to the expenses required to resource and develop exploits internally. Second, it complicates the task of attribution, as these commodity variants are widely used by disparate actors and groups.

These malware signatures are commonly identified by antivirus solutions; therefore, it is highly recommended that antivirus software be updated as required.

While Iranian actors are not widely known for their sophistication, they have demonstrated innovative TTPs. One of the most innovative techniques is their use of highly crafted social media profiles as a means of delivering malicious payloads. This technique relies heavily on social engineering, requires time to develop, and is therefore unlikely to be used in time sensitive or hastily planned exploits. However, the extent to which Iran has already cultivated preexisting accounts on social media remains unknown. Their use of social media platforms as a means of delivering malicious payloads effectively enables them to bypass defenses primarily aimed at prevention of traditional phishing via email.[6]

R9B recommends users exercise vigilance and caution when viewing and accepting new messages and connections via social media platforms.

Recommended Actions

The following is a composite of general actionable technical recommendations from the U.S. DHS/CISA for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. These recommendations pertain to two courses of action in the face of potential threat from Iranian actors: vulnerability mitigation and incident preparation.

  1. Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  2. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.
  3. Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
  4. Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  5. Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.[7]

[1] https://www.dhs.gov/news/2019/06/22/cisa-statement-iranian-cybersecurity-threats
[2] https://attack.mitre.org/groups/G0064/
[3] https://attack.mitre.org/groups/G0087/
[4] https://attack.mitre.org/groups/G0058/
[5] https://attack.mitre.org/groups/G0069/
[6] https://threatpost.com/iran-apt34-linkedin-malware/146575/
[7] https://www.us-cert.gov/ncas/alerts/aa20-006a