You’ve heard a lot about what the rising tensions with Iran might mean for your company. When the analysts talk about the growing Iran conflict, they almost always include cybersecurity.
And they’re right.
Iran has a long history of increasingly sophisticated cyber-attacks that target businesses with national security and public welfare implications. But while these analysts are right to warn the country’s most important and largest companies about the likelihood of an Iranian state-sponsored cyber-attack, they miss the mark in explaining the gravity of the situation. They understate the urgency that companies ranked Fortune 3000 or higher need to display in their preparation and mitigation strategies.
Here’s the reality: Right now, Iran is the most motivated cyber threat to American interests.
And we are not alone in this assessment. During a panel at the 2019 Global Cyber Innovation Summit in Baltimore, former NSA director Keith Alexander expressed concern that Iran’s irrationality, lack of leverage, and personal vendetta with the United States make them more unpredictable than Russia and China. And that was before the drone strike that killed Iran’s top commander, Gen. Qasem Soleimani.
Iran’s Cyber Capabilities
In the past, cybersecurity researchers and analysts generally agreed that the cyber capabilities of China and Russia vastly outmatched those of Iran. And, we have seen the power of the North Korean attacks against central banks and Sony. However, after the US deployed its Stuxnet virus to damage the Iranian nuclear program in 2007, Iran has dedicated itself to increasing its cyber prowess. And in many ways, they’re succeeding.
Today, Iran’s hacking capabilities are diverse and insidious. They have a growing portfolio of successful cyber-attacks that include cyber theft campaigns, DDoS attacks, malware, and cyber-enabled espionage.
And US intelligence agencies report that Iran is not finished developing. The global threat assessment from January 2019 reports that Iran was working to develop cyber capabilities to damage US critical infrastructure.
We don’t know if Iran has successfully deployed its capabilities to damage or to sleep inside of our critical infrastructure yet. But what we do know could be just as damaging.
Data-Wiping/Data Manipulation Malware
Iran created, and continues to evolve, a selection of data-wiping malware that has already caused great harm to some of the world’s most critical companies. And to demonstrate the power of their data-wiping strength, Iran launched the initial version of this malware on the world’s largest company, Aramco in Saudi Arabia.
In 2012 the Iranian malware, Shamoon, was responsible for wiping nearly 35,000 computers at Aramco. Even that early version of Shamoon was able to spread from the initially infected machine to all others on the network. It compiled files from each infected machine and delivered them to the hacker, who ultimately erased them.
In 2018, Aramco’s revenue was $355.9 billion. But even in 2012, its revenue rivaled the economy of some countries. Still, with vast resources and the ability to fly employees directly to factory floors and purchase over 50,000 hard drives as part of the recovery effort, it took Aramco several weeks to fully restore operations.
Since that time Iran has further developed its data-wiping arsenal. In fact, ZDNet just reported that the Bahraini oil company Bapco suffered an Iranian state-sponsored data-wiping attack the last week of December 2019. The Bapco attack revealed a more advanced version of the original Shamoon malware. This latest strain of Iranian data-wiping malware, Dustman, can overwrite and manipulate data on infected computers as opposed to just erasing or replacing them with obvious garble.
Fortunately for Bapco, the attackers triggered the data-wipe prematurely after fearing the hack had been exposed. This meant that operations at the company weren’t disrupted as officials cleaned up the breach.
But botched malware campaigns aren’t the norm for Iranian state-sponsored actors, and American companies shouldn’t expect to be so lucky. The Iranians learn from their experiences.
Malware as a Weapon
While Iran has used its data-wiping and data manipulation malware on companies with connections to rival countries in the Middle East, cyber-attacks know no boundaries. Considering the growing hostility between Iran and the United States, and the large number of American companies with close national security and public welfare ties, it’s foreseeable that Iran will use American corporations and defense contractors as a conduit to extract revenge on the United States government.
Imagine if Iran deployed its latest data-manipulation/data-wiping malware on a large financial institution – maybe even on a financial exchange. The breach goes undetected while the attacker changes all of the “7’s” to “0’s” in a database of his choosing. What type of damage and chaos would that cause among financial stakeholders? How long (and at what cost) would it take to figure out what happened, and how to fix it? How would that affect American society and government operations as a whole?
We know Iran has that capability. What do they have that we don’t know about?
While any individual or entity is at risk of a cyber-attack, when it comes to an Iranian-sponsored attack, there are a few industries at higher risk. They include:
- Tech—especially software providers
- Defense Contracting
In fact, the threat to the financial industry is so great that in response to the US drone attack on Gen. Soleimani, the New York Department of Financial Services (NY DFS) issued a press release urging regulated entities to increase their cyber-vigilance. The press release also cites Iran’s cyber capabilities and specifically mentions Iran’s history of launching DDoS attacks on US banks.
But what’s more telling is that the NY DFS also warns that “Iranian attackers were increasingly using highly destructive attacks that delete or encrypt data.” Those “highly destructive attacks” are the same data-wiping and data manipulation malware campaigns we are most worried about – and the ones from which you should seek to protect your company.
Though American businesses might seem like the wrong target for Iran’s ire, think about it. Why would the Iranians try to attack the government or military directly when they can cause just as much damage going through carefully selected companies? They know the US government and military have extensive defenses, mitigations, and retaliation capabilities. They also know that American companies don’t.
The Way Forward
America’s companies didn’t ask to be on the fighting lines of our next war. But we’ve long said that the next war will be a cyberwar, and it’s looking like these companies are prime real estate for a battleground.
So, what can be done? Fortune 3000 corporations need to take a step back and get a complete and realistic look at their cybersecurity as it stands now. Where are you vulnerable? Do you know your cyber risks? Are you measuring your cyber risks and developing a multi-year program to manage your cyber risk, prioritizing those that offer attack vectors to the hackers posing the greatest threats—like the Iranians? Are attackers already in your systems? Have you adequately addressed your cyber-risk insurance needs? Is your documentation and planning sufficiently solid to drive rapid recovery, with minimum business interruption? With this information, available from a TripleHelix® comprehensive cyber risk assessment, America’s most critical companies can devise and execute a strategy to clean up current issues and defend against upcoming ones.
This can seem overwhelming, but it doesn’t have to be. The cybersecurity experts at Assured Enterprises are available to answer your questions (first scheduled call is free) and to secure your business, with skills and tools used by the US military and major companies. After all, the safety and security of America’s greatest institutions provides safety and security to all Americans.