International events have long been known to drive cyberattacks. Nation-states and smaller hacker groups routinely respond to news stories and current events by launching attacks at governments, organizations, and individuals. Iran, in particular, has a history of using cyberattacks to respond to current events.
In 2014, Sheldon Adelson made comments about dropping nuclear weapons on Iran, paired with public support of Israel. Iran responded by hacking a development web server and wiping data off of Sands Casino network devices, which is owned by Adelson. In 2012, malware infected 30,000 workstations at Saudi Aramco, in an attack widely attributed to Iran. Iran was reportedly suspected of retaliating for cyberattacks against its oil production and nuclear enrichment industries. In 2017, Iranian hackers attacked the email accounts of several members of the British Parliament, in a suspected attempt to undermine the ongoing nuclear negotiations. And in a situation that closely mirrors current events, in 2015, Iran caused power outages in Turkey after Erdogan defended the Saudi bombing campaign in Yemen. There have already been reported instances of Iranian hacks in response to the bombing on January 3. Small-time hacks, like website defacements, don’t have a significant impact but may indicate more attacks to come.
Caught in the Crossfire
Many organizations may believe that they won’t be a target of retaliation because they aren’t government-related. But Iranian attacks could include state-initiated attacks that target not just government but also finance and other critical infrastructure. Lower-level hackers also have a long history of hacking on behalf of the Iranian government. These hackers may have loose or no affiliations with the Iranian government and may look for low-hanging fruit to simply get media attention. Government-initiated attacks may leverage existing network access, meaning that organizations should be extra diligent looking for suspicious network behavior in the coming weeks. Several lone actors are likely to renew their search for targets as well, meaning that organizations should take care to look for insecure devices that could be entry points.
Attackers often use naive keyword searches to identify abandoned assets that can be targeted. Organizations should conduct their own audits, verifying that they’ve locked down all external-facing devices and that their asset inventory is accurate. Assets are routinely lost during normal business operations, so conducting an audit can help find unknown risks such as:
- Rogue devices, especially in cloud environments: Employees can easily spin up development, test, or staging environments in AWS, Azure, or other shared hosting environments without telling their IT team. These devices are often poorly configured to begin with, and are then abandoned. Conduct an audit of cloud assets, and look for unapproved assets that may not be patched or managed.
- Insecure equipment used by employees working from home: Employees often cut corners to get their work done. Many organizations allow employees to open their laptops to risky ports on the public Internet, like RDP. These devices can be difficult to detect because they occur outside of your organization’s IP space and instead show up in local ISP blocks.
- Exposed network infrastructure on core ranges: Almost every organization scans its known perimeter daily for exposures, but with the flood of patch issues that come back, it can be difficult to sift through the noise to identify the devices that really matter. Organizations routinely leave admin ports open on sensitive devices like routers, switches, and even firewall management consoles. Look for these devices and make sure they are taken offline.
When an organization reviews its network in anticipation of an attack, it tends to focus on areas of the network that it knows about. Patching is critical, but adversaries don’t just recon the IP ranges that you know about. They look for everything that might belong to you on the Internet, and you should too. Don’t assume you know all of your network, because adversaries don’t.