Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Trustwave Blog

Will Iran Retaliate in the Cyber Realm?: 5 Questions with an Incident Response Expert

By now, you’re well aware of the tensions currently in place between the United States and Iran. 

Following a U.S. strike that took down one of the top government officials in Iran, the country quickly retaliated by firing back at U.S. bases located in Iraq. While the battleground may be in the air and potentially on the ground in the future, there’s one arena that can create as much havoc and disruption; the cyber realm.

But before you jump into any conclusions, we decided to touch base with Trustwave’s own incident response expert, Brian Hussey, vice president of cyber threat detection and response, who provided us with a breakdown of what’s occurring, but most importantly, what may occur in the coming days or months. 

Can you provide us with a breakdown of what’s going on at the moment?

Brian Hussey: Last week the U.S. launched strikes killing Iran’s top military leader, General Soleimani, and Iran vowed revenge. That's kind of the state we’ve been in for the last couple days, wondering if their revenge will include cyber attacks. Earlier this week Iran did launch retaliatory strikes against U.S. bases in Iraq. That’s obviously one element of their retaliation, but will there be others or not? That’s the question right now. Geopolitical factors do influence the cyber threat landscape and often times the cyber approach is a faster and less attributable way, with easier access, for a small nation-state or one that has a hard time being able to launch an attack on the U.S. homeland.

For example, for a nation-state to launch an attack against the U.S., it’s not easy to get within our borders, thankfully so. But one of the easiest ways to directly impact US infrastructure and economy would be via a cyber-attack. So, when a geopolitical event like this occurs, we need to have heightened awareness when it comes to cyber attacks that may or may not come out of Iranian nation-state actors, or even patriotic actors within the country.

Why should security leaders that aren’t necessarily protecting government infrastructure care? How would it impact them?

BH: When you look at the modern-day security professional, they’re always overwhelmed by their day-to-day job, but when a major attack occurs, their job is going to get much more difficult, very, very quickly. Its best, at minimum, to maintain situational awareness about the constantly changing threat landscape impacting their industry and geography.  There are a few types of attacks that Iran is famous for, most prevalent being wiper malware.

If you look at the Shamoon malware, (more recently updated to StoneDrill), it was executed against Saudi Aramco and RasGas a number of years ago. That’s the known Iran modus operandi – or at least one of them. It’s to destroy your systems. In the case of Saudi Aramco, it destroyed 30,000 computers in one shot. That is a major, high-impact event for any corporation. IT security professionals have incredibly busy days and stacked responsibilities, but when high-impact geopolitical events like this take place it raises the threat level and it’s something they should have some concern over.

Are there any specific industries that should be more cautious than others?

BH: As a retaliation, Iran is going to want to make headlines, they’re going to want to be noticed, and make a major impact with their cyber attacks. The most impact is going to come across areas that have the ability to affect human life, US confidence in their Government, or impact of major monetary value. The U.S. government will certainly want to be on high alert, as well as, finance, and healthcare sectors.  In addition, any SCADA environments that have access to or the ability to impact human life, such as water treatment plants and power plants. They are the ones that should be the most concerned in a cyber war-type scenario with Iran.

What types of attacks could we possibly see out of Iran?

BH: What they’re well-known for is the wiper malware, which is distributed in a way that is similar to ransomware, but it operates differently, as there’s no way to recover data. It completely wipes the boot sector away, as well as sections across the hard drive making recovery impossible, except possibly from offline backups.

While that’s what they’re most known for, since 2007 the Stuxnet attack was a very targeted SCADA attack on an air-gapped step 7 Siemens processor that should not have been able to be targeted, but it clearly was. That was inspirational for Iran in the development of their attacks on targeted, off-line SCADA networks. This kind of attack generally takes a lot higher of a level of sophistication, so I don’t know if they’re capable to do that right now, or if they are currently laying dormant in US SCADA environments, ready to launch an attack, is also unknown. 

I’d also be concerned about botnets. Every nation-state that has an offensive capability has gathered a very large botnet to use for offensive purposes in the event of a cyber war. That’s just the nature of the game. Does Iran have this and are they interested in using it now.  Even today, with modern security technology and professionals, it is difficult to protect against massive botnet driven DDOS.

Are there any particular incidents from the past that we can compare this to from the past?

There have been global incidents in the past that have caused security professionals to be on high alert.  Really, any time a nation-state is in potential conflict with another nation-state, then those residing within the borders of the combatants should be aware of the cyber implications at hand. It’s not just about bombs and planes and tanks. The concern that immediately needs to be on the top of the list is cyber threats.

Given the high alert many security professionals are currently on, Hussey advises security leaders to focus on the following areas:

  • Defense-in Depth: The old maxim, harden your perimeter with layers of protection that can cover when one fails.
  • It’s all about the endpoints: Invest in quality EDR technology that gives you access for rapid hunting, investigation, and containment across your global enterprise (not to mention advanced preventative capabilities).
  • Get Proactive: Invest in pen testing and threat hunting. You should know how attackers can get into your network and if you’ve already been compromised.

Latest Trustwave Blogs

Unlocking Cyber Resilience: UK’s NCSC Drafts Code of Practice to Elevate Cybersecurity Governance in UK Businesses

In late January, the UK’s National Cyber Security Centre (NCSC) issued the draft of its Code of Practice on Cybersecurity Governance. The document's goal is to raise the profile of cyber issues with...

Read More

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More