Mid-sized companies with IT and ICS networks CAN protect themselves from Iranian based hackers.

Iranian hackers have been a threat for the past decade, so should you take the newly released DHS warning seriously? The short answer is a very definitive YES!

Iran has been known to rattle their sabers with the expectation that the U.S. and its allies will reduce sanctions or take other actions to placate their threat, but the attack on the US embassy produced very different results. The U.S. launched a very lethal strike in response, and we have significantly impacted their military command structure through a very specific, targeted response. The Iranian government will respond with their own attacks in the very near future.

Iran has some of the most advanced, persistent, and effective cyber attack capabilities on the planet, and they have now been given full authority to attack U.S. targets.

• Iranian leadership and several affiliated violent extremist organizations publicly stated they intend to retaliate against the United States.
• Previous plots have included scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.
• Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.

So, how does a mid-sized company shore up their defenses quickly to counter the threat? There are two things that you need to do quickly.

First, you need to understand the threat. Why is this important? If you understand what the threat is, you’ll have a much better chance of countering their Tactics, Techniques, and Procedures (TTPs). You can concentrate your efforts with intentional actions focused on mitigating real threats. This will significantly improve your success rate, and also keep you from wasting resources.

Second, you need understand your own vulnerabilities. If you know what the threats are, and you know whether you are susceptible or vulnerable to the types of TTPs that they employ, then you can take decisive action, and show improvement in your security posture. This is quantifiable and can help you paint the appropriate picture for your leadership.

The Threat – APT 33

The Iranian government is notorious for using proxies to conduct military and cyber operations, and this trend is expected to continue. There are several cyber threat groups that operate under the auspices of the Iranian government, and they have been known to enlist the aid of many different groups through social media. It is a shifting target, but there are some consistencies that can help you identify and mitigate the threats.

There are several groups that normally operate under the Iranian government’s umbrella, and we are going to take a much closer look at some of these groups over the next few weeks. One of those groups has been given the designations of APT 33 and/or Elfin.

According to a Symantec report, this group has targeted at least 18 organizations in the U.S. over the past three years. Targets in the U.S. have included organizations in the engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors.

APT 33/Elfin is notorious for using phishing campaigns involving job seekers and exploiting known vulnerabilities. In one particular attack, two users in the targeted organization received a file called “JobDetails.rar”, which attempted to exploit the WinRAR vulnerability. This file was likely delivered via a spear-phishing email. Fortunately, prior to this attempted attack, the organization had employed some proactive protection against any attempt to exploit this vulnerability (Exp.CVE-2018-20250). This protection successfully protected the targeted organization from being compromised.

There are 3 things that you can do right now to significantly improve your overall security.

First, raise your organization’s security awareness level. Use whatever mechanism that you have in place for increasing your security level, and do it now. Everyone in your organization needs to know that there is a credible threat, and everyone needs to be on the lookout for suspicious activity, and anomalies in the normal processes.

Second, patch and update everything that you can. I know that this isn’t always possible, especially on ICS networks, but do what you can with what you have. Do NOT put it off. Updating and patching will take care of many of the easily exploitable vulnerabilities, and this can provide solid, quick results.

Third, get your cyber threat intelligence team, or SOC, or your one lone cyber security person very focused on APT33/Elfin. They need to learn as much as they can about this specific threat group so that they can help you fortify your security against the actual TTPs that could be used against you. I’ll even give you a good starting point. This group has shown an increased preference for njRAT, so your team (or that one poor lone, lonely loner) should find out everything that they can about this specific tool so that you can shore up your defenses.

Red Trident Inc has a full team of IT and ICS cyber security professionals. We have actual military-grade intelligence analysts on our staff. We have SOC services that can help you through the storm. Most importantly, we have all worked in the plants and know what you’re up against. Contact us now to discuss your security, infrastructure, engineering, and networking needs.

References:

MITRE ATT&CK Group (2019, October 15). OilRig.

Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.

Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group.