Many people fear that the death of Iranian General Qassim Suleimani could lead to a cyberwar between the U.S. and Iran. To those I say; where have you been for the past two years? In May of 2018, I predicted the beginning of the first world cyberwar which could draw in countries from throughout the region and the world. I made this prediction based on the fact that Iran had upped the ante by launching an attack on Saudi Arabia’s Aramco in 2017. Others may claim that the preliminary battle in this cyberwar began with the U.S.-Israel Stuxnet attack on Iran in 2010. That doesn’t really matter much because there seems no denying that we are now in the midst of a cyberwar.
But hasn’t this all changed after Iran’s fake attack on U.S. bases in Iraq? Haven’t they got the revenge they were looking for? The truth is that this attack only showed that Iran wants nothing to do with a direct confrontation with the U.S. This attack was only undertaken to sate the hunger for revenge that the government had provoked in the Iranian people. That said, Iran will not suddenly halt their decade’s long commitment to terrorism. They will still employ their proxy groups and individuals to do their dirty work. They will still engage in disruptive cyber attacks. They will use the cyber vector because they can hide behind attribution if they want. They may even hope that this recent faux attack will cause targeted organizations in the U.S. to let their guards down, feeling that the worst has passed. In fact, since the missile attack on the bases, the New York Times has reported on an increase in Iran-based cyber attacks. This includes the defacing of the websites for the cities of Minneapolis and Tulsa. But that’s just the beginning.
In other words, the current cyberwar is far from over. The sophisticated 2017 attack which began this war reshaped the cyber landscape in a very special way. It was different in that it targeted industrial control systems (ICS) with so-called Triton malware. The attacker’s plan was to override the Schneider Electric Triconex safety systems at the Petro Rabigh petrochemical plant and refinery and cause destruction.
The goal of the attack was to make these safety switches malfunction. The malware could have allowed machinery to operate at unsafe levels while giving no safety warnings to the operators. Such a manipulation could have caused a series of disastrous explosions with a concomitant loss of life. The other attacker option would be to change the operating parameters on key machinery, making it simply shut down. This could, in effect, shut down the entire facilities, which would have cost Saudi Arabia millions of dollars. In fact, the malware failed to achieve either of these goals as additional safety devices detected a problem and shut down some of the facilities. Thus, by pure accident, the malware actually did do what the attackers wanted, just not in the way they intended. However, this sort of attack, which could have had fatal consequences, was different from the usual Iranian attacks which just looked for information or hoped to cause minor disruptions in operations. This was serious state-of-the-art malware designed to do real harm.
But how did the malware get installed into these safety devices in the first place? That’s not clear. It could have been installed at the manufacturing level or at somewhere along the supply line. It could have been introduced through a flaw in the cyber defense system at the facilities. Whatever the case, it is generally believed that a zero day exploit was used at some point. In addition, and as expected in the cybersecurity world, attribution for this attack is still hazy. It looks like an attack that Iran would make and profit from, but there are also indications that Russia was involved. It is not beyond the realm of possibility for them to have teamed up on this attack.
However, the important point to note here is that this same Triton malware and its variants have already been found fermenting within ICS components in the U.S. infrastructure. According to a recent article in Wired, “they’re targeting the physical control systems used in electric utilities, manufacturing, and oil refineries.” Microsoft has been following these attacks for some time. One of their researchers, Ned Moran, reported that Iran is “going after these producers and manufacturers of control systems, but I don’t think they’re the end targets. They‘re trying to find the downstream customer, to find out how they work and who uses them. They’re looking to inflict some pain on someone’s critical infrastructure that makes use of these control systems.”
Lab52 gives the following graphs of Iranian hacker targets for the last three years. It should be quite clear who is in the crosshairs.
This is how an attack could work. Imagine a scenario in which a small company produces a part for a component manufactured by another company which, in turn, sells that component to a large company. Imagine that the attacker infiltrates the first company in the series and takes over some of its machinery through an ICS attack. It could take one of several actions. It could force the machinery to malfunction, therefore, disrupting the supply chain. It could alter machinery or testing parameters to have the company distribute defective parts which could cause a variety of problems for the larger companies downstream. If defective parts were installed, the end product (an engine, a missile, a weapon, a power station component) could fail to function correctly. Then again, the attackers might simply use the smaller company as a springboard to get access to the networks of the larger companies.
It cannot be emphasized enough that a successful breach of the control systems of the industries mentioned above could have devastating consequences. The problem for those of us in cybersecurity is that most people don’t take these possibilities seriously. The public tends to think of these threats as exaggerations and, sadly, will continue to do so until they are realized.
To highlight the real threat posed by Iran, I will simply quote from a statement released by the Department of Homeland Security.
“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Once again, securing endpoints during these times should be a priority.
In any event, here are some possible revenge scenarios that Iran could use.
Attacks on Oil Refineries and Petrochemical Facilities
This is the most likely scenario as Iran has experience in this area. They may even attack Saudi Aramco again. If such a cyber attack is coordinated with a physical attack, say on shipping in the Persian Gulf, it could cause a steep rise in oil prices that could disrupt economies around the world. Successfully shutting down a U.S. facility would give Iran credibility and cause a certain amount of panic. As blame is subsequently apportioned, it could further intensify political divisions and lead to social unrest in t.
Attacks on Electric Utilities
This is what the normal citizen worries about but really doesn’t take seriously. Blackouts or cascading blackouts could occur. But it’s more than just being without lights, which is how most people conceive of a blackout. It involves inoperable traffic lights, gas pumps, ATM machines, water pumps, heating systems, and medical devices. And, yes, you won’t be able to use your smartphones or the internet. It wouldn’t even have to be an extensive blackout because a blackout, even in a small area, would be enough. This is because any blackout that is connected to a foreign-based cyber attack would be enough to cause panic.
But is such a reaction justified? A few days ago, Dragos issued a report entitled North American Cyber Electric Threat Potential. They noticed Iranian hacking groups shifting their focus from the oil and gas industry to the electrical sector. They point out that “nearly two-thirds of the groups performing ICS specific targeting and disruption activities are focused on the North American electric sector”. They also report on a trial attack that took place last August that “could have caused much more significant – and dangerous – consequences including equipment destruction, extended outages, and operator injury. Although the protection-focused piece of the attack failed, it could act as a blueprint for future electric-targeting adversaries attempting to disrupt operations and cause the greatest possible damage.”
So, yes, the threat is real.
Attacks on Manufacturing
These are probably the easiest for Iran hackers to perform. Corporate networks with all of their endpoints are the easiest to breach. Machines may suddenly malfunction or their parameters changed to produce defective parts. Factories could shut down. Supply chain disruptions could occur. Military-related companies would be most susceptible but banks and universities have been targeted in the past.
In 2018, Iranian hackers Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri were indicted by the U.S. Department of Justice. They were blamed for the ransomware attacks on the city of Atlanta, Newark, the port of San Diego, the Colorado Department of Transportation, and numerous healthcare facilities. Although ostensibly members of a private hacking team, the Iranian government hasn’t done much to hinder their activities. In fact, this might be a good time for the government to use the methods of this hacking group to bring down American cities and towns. Minneapolis and Tulsa, beware.
The U.S. has not sat idly by while Iran ramped up its cyber attacks. They have recently implemented cyber attacks of their own with mixed success. Iran claims that all of these attacks have been thwarted, and this is partially true. Of course, it’s the attacks you don’t see that will hurt you. Nonetheless, their ability to counter some of these U.S. attacks has emboldened them. They may no longer fear a counter attack on their infrastructure, believing they can defend against it and making them more inclined to attempt a cyber attack of their own.
For me, the most troubling aspect of this entire cyber scenario is Iran’s recent teaming up with Russia. Russia has far more cyber capabilities than Iran and, if they share them with Iran, the world becomes a much darker place, in more ways than one. With Iran by its side, Russia would now be able to freely attack the U.S. and hope that Iran gets blamed. Actually, Iran may welcome being blamed as their goal is to exact revenge from the U.S. and make this revenge known.
Recently, a friend asked me if he should be concerned about an Iranian cyber attack. I will give you the same advice I gave him. It doesn’t hurt to stock up on some extra water, some gas, and a supply of cash. Unlike impending, more or less predictable natural disasters, you won’t see these cyber attacks coming. Sure, the chances of you, personally, being caught up in an Iranian infrastructure attack may be small, but there’s nothing wrong with being prepared.