We assess with medium confidence that various organizations in the United States, especially in the federal government, critical infrastructure, and financial services sectors, are at increased risk of Iran-sponsored and hacktivist cyber attacks in retaliation for the US airstrike that killed Iranian Commander Qasim Suleimani on January 2. Although Iran is not the most advanced nation in cyber attack capabilities, the Center for Strategic and International Studies recently noted Iran has “rapidly improved its cyber capabilities” and “is ahead of most nations in strategy and organization for cyber warfare.” Iran claims to have over 100,000 cyber trained volunteers, and there are several groups—both state-sponsored and hacktivists loyal to Iran’s leadership—that have historically and repeatedly conducted cyber attacks against the US and other nations. These groups include:
The Cyber Defense Command: An Iranian government organization with a primarily defensive orientation. Launched in November 2010, the Cyber Defense Command is charged with providing security to the country and its infrastructure against cyber threats. However, this group also launched denial-of-service attacks against domestic websites engaged in activities authorities deemed “transgressive.” It has also hacked into the email and social media accounts of students, activists, and journalists critical of the Iran’s government.
Iranian Cyber Army: Believed to be a government-affiliated organization formed in 2005 to conduct offensive cyber operations. Among the group’s preferred tactics is website defacement, made possible by gaining unauthorized access to a domain and replacing its content, and DNS cache spoofing, a technique used to redirect websites to other destinations.
OilRig: An Iranian hacking group active since 2015 and one of Iran’s most prolific cyber espionage units. Believed to be state-sponsored, this group initially focused on targeting private organizations outside Iran’s borders. This group has targeted government, media, energy, transportation, logistics, and technology service providers and managed to steal 13,000 login credentials from 97 organizations spanning 27 countries, primarily based in the Middle East.vi OilRig also has commonly used phishing campaigns, especially emails disguised as advertisements for job postings.
Known cyber capabilities of Iranian nation-state and hacktivist groups include:
Distributed Denial-of-Service (DDoS) Attacks: The overwhelming of a target or its surrounding infrastructure with a flood of Internet traffic to cause the disruption of a service or network.
In 2016, the US Department of Justice (DOJ) indicted seven state-sponsored Iranian hackers who conducted DDoS attacks against 46 major financial institutions and corporations between 2011 and 2013, causing millions of dollars in lost business.
Spear Phishing: Any malicious electronic communication targeted at a specific individual or department within an organization that appears to be from a trusted source.
In mid-2019, analysts at two cybersecurity firms associated a new spear phishing campaign targeting the US Department of Energy and other public and private organizations with Iran.
In March 2018, the US DOJ indicted nine Iranians who used spear phishing campaigns to target 144 US universities and steal intellectual property such as scientific research, trade secrets, and sensitive US government information. In total, the hackers stole more than 30 terabytes of academic data worth an estimated $3.4 billion.
Destructive Malware: Malicious code designed to destroy data and impact the availability of critical assets.
Last month, researchers at one technology firm discovered a new data-wiping malware dubbed ZeroCleare, which was used in a destructive cyber attack against energy companies in the Middle East. ZeroCleare is designed to delete as much data as possible from an infected system, wipe the Master Boot Record, and damage disk partitions.
Website Defacement: An attack that changes the appearance or file structure of a website to display unauthorized or malicious content.
In 2009, the Iranian Cyber Army hacked Twitter, replacing the home page with an image of a green flag with the words “This site has been hacked by Iranian Cyber Army.” Since then, numerous websites have been impacted by this group, including the Chinese social media site Baidu in 2010, Voice of America in 2011, and the International Atomic Energy Agency in 2012.
Traffic Light Protocol: WHITE information may be distributed without restriction.