Iranian Cyber Attacks: What’s Coming Next

Image courtesy of Forbes.com
Given the U.S.’ recent military engagement with Iran, the question everyone is now asking is whether the cessation of military activities means this is all over, or whether another shoe will soon be dropping.
While no-one has a crystal ball, looking at our overall historical engagements with Iran, it’s pretty clear that the next phase of this engagement will be in the cyber realm; indeed, our relationship with Iran in the cyber domain over the past decade has been marked by ongoing escalations and de-escalations of cyber engagements with Iran (or 3rd party affiliates acting on their behalf), corresponding with the ups and downs of our overall political engagements with Iran. As such, there’s a high probability that cyber intrusions, attacks, or other malicious activity from Iran, or its surrogates, are now on their way.
Looking at Iran’s past cyber attacks around the world, we can categorize the potential threat into 3 categories:
- Web Defacements
- Denial of Service (DDOS) and other attacks on the availability of a website
- Destruction of data, such as wiping the computers of a company and destroying all of their data
Of the 3 above, obviously destruction of data is probably the most scary to ponder. Web defacements are good for messaging – something Iran is fond of (such as hacking into a website and posting a message to further the Iranian agenda) – and costly to the victim to recover from, but are for the most part, more of an annoyance and short-lived.
Denial of Service (DDOS) attacks can be more troubling and have longer-term impact. For example, the 2011 – 2012 DDOS attacks on almost 50 U.S. financial service companies, subsequently attributed to Iran, caused inconvenience to 100,000’s of customers, and cost the companies millions of dollars in damages to recover from.
But obviously, the biggest concern is the destruction of data. Iran is now well-known for their attacks on Saudi Arabia’s Aramco energy company, using a piece of malware called Shamoon to wipe tens of thousands Aramco’s computers, causing massive damages in terms of monetary and reputational costs. They allegedly updated this malware, nicknamed Shamoon 2, to attack new Saudi targets, to include governmental offices and other targets.
Most recently, we have seen 2 recent pieces of reporting that raise the likelihood that this may be one, of perhaps many, bands of cyber attacks by Iran. Specifically:
- In December 2019 IBM warned of a new form of wiper malware it called ZeroCleare, which overwrites the Master Boot Record and disk partitions on Windows machines, and is alleged to have already been used against industrial and energy sectors (it has been attributed to Iran-backed hackers); and
- One of the more concerning Iranian hacker groups, known as APT33, is rumored to have spent years developing sophisticated payloads with Powershell implants exploits, which could allow them to potentially meddle with critical infrastructure like financial systems or industrial control systems.
Of course, where, whether and when they hit is an open question, as they could potentially hit the US or one of its allies. For more of my thoughts on what form these attacks may take, and against whom, please check out the OpEd I recently published in the Hill: https://thehill.com/opinion/cybersecurity/478152-next-phase-in-the-us-confrontation-with-iran-moving-the-battle-to-the
And please listen to a recent interview I did on this topic:https://www.rickungarshow.com/rick-ungar-show-highlight-01-15-20/