Hot on the heels of the U.S. bombing of Iranian nuclear facilities, a joint cybersecurity advisory has warned critical infrastructure organizations of cyber threats stemming from Iranian-backed malicious actors.
“Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events,” it stated.
The Federal Bureau of Investigation (FBI), the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Department of Defense Cyber Crime Center (DC3) jointly authored the advisory.
However, the authoring agencies have currently detected no coordinated Iranian cyber activity targeting U.S. organizations.
CISA warns critical infrastructure organizations of Iranian cyber threats
The authoring agencies advised critical infrastructure organizations to brace for potential Iranian cyber threats. They warned that Iranian hackers exploit security vulnerabilities that many critical infrastructure organizations might have overlooked.
“Hacktivists and Iranian-government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices for disruptive cyberattacks,” the agencies stated. “These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.”
The security and intelligence agencies warned that critical infrastructure organizations in the Defense Industrial Base (DIB), especially those with links to Iran’s traditional enemy, Israel, were most at risk from Iranian cyber threats.
In November 2023, Iranian hackers breached a Pennsylvania water utility by targeting Israeli-produced Unitronics programmable logic controllers (PLCs).
Israeli cybersecurity firm Check Point has observed Iranian cyber threats targeting the country’s critical infrastructure organizations in the defense sector via email- and WhatsApp-based phishing messages.
“In some of those campaigns, Israeli technology and cyber security professionals were approached by attackers who posed as fictitious assistants to technology executives or researchers through emails and WhatsApp messages,” Check Point stated. “Defense Industrial Base companies, particularly those possessing holdings or relationships with Israeli research and defense firms, are at increased risk.”
Check Point research also detailed how Iranian-backed hackers, specifically APT35, were already targeting high-profile professionals working with Israeli-based organizations in a massive AI-powered Gmail spear-phishing campaign.
“The threat actors directed victims who engaged with them to fake Gmail login pages or Google Meet invitations,” Check Point stated.
“The ever-increasing risk of cyberthreats should hopefully come as no surprise to security teams, regardless of if the adversary is a nation state responding to rising geopolitical tensions or a cybercriminal seeking to make some money,” noted James Maude, Field CTO at BeyondTrust. “The CISA advisory makes the point that nation states and cyber criminals often actively collaborate, so it is important to consider the entire threat landscape and how it is evolving.”
“The ever-increasing risk of cyberthreats should hopefully come as no surprise to security teams, regardless of if the adversary is a nation state responding to rising geopolitical tensions or a cybercriminal seeking to make some money,” he added.
However, Chief Information Security Officer at Cequence Security, Randolph Barr, downplayed the role of geopolitics in modern cyber threats.
“We live in a time where cyberattacks are no longer isolated to the countries directly involved in geopolitical conflict,” said Barr. “In the case of Iran, it’s not just about their known cyber capabilities, it’s about the broader network of proxy actors and aligned nations who may view recent U.S. actions as justification for retaliation.”
How Iranian hackers breach critical infrastructure organizations
Iranian hackers utilize various reconnaissance tools, like Shodan, to identify unpatched internet-facing interfaces that could be exploited.
After gaining access, the Iranian hackers perform privilege escalation to gain administrative rights and install more potent utilities. These include remote access trojans (RATs), keyloggers, and administrative and penetration testing tools, such as PsExec and Mimikatz.
When successfully deployed, these tools enable Iranian hackers to execute privileged commands, perform privilege escalation, and disable endpoint security solutions, such as anti-viruses, to avoid detection.
The advisory follows a similar one that warned of low-tier cyber threats by pro-Iranian hacktivists, including distributed denial of service (DDoS) attacks.
“The ongoing Iran conflict is causing a heightened threat environment in the United States,” the DHS warned. “Low-level cyber attacks against US networks by pro-Iranian hacktivists are likely, and cyber actors affiliated with the Iranian government may conduct attacks against US networks.”
Meanwhile, CISA and other authoring agencies recommended various mitigations to prevent Iranian-affiliated cyber threats from compromising U.S. critical infrastructure.
They recommended isolating Internet of Things (IoT) and Operational Technology (OT) networks to prevent threat actors from pivoting to other systems after breaching ICS devices, which usually lack traditional cybersecurity defenses typical of corporate networks.
“Securing remote access remains one of the top priorities for many organizations especially in high risk, OT and ICS environments which need to be kept well away from the public internet,” Maude added. “Organizations need to think about how to securely manage privileged access into their critical environments.”
The authoring agencies also recommended changing default passwords, using strong passphrases, and enabling multi-factor authentication (MFA) to prevent hackers from exploiting weak and leaked login credentials.
They also advised critical infrastructure organizations to apply security patches, update software, especially on internet-exposed devices, and have a tailor-made in-house incident response plan.
