Iranian Cyberattacks and Threat Modeling: Is Your Organization Prepared?

Peter Cockshott
| 2/18/2020
Iranian Cyberattacks and Threat Modeling: Is Your Organization Prepared

U.S.-Iranian relations are under strain, and recent events have reignited tensions between the two countries. Such global events can quickly become up close and personal when a cyberattack takes place at your organization, your bank, your healthcare provider, or even your local power company. That said, organizations can take proactive steps to help strengthen cybersecurity defenses in the wake of increasing offensive security operations. One of these steps is threat modeling, which is a fundamental aspect of developing and prioritizing information security efforts.

Escalating tensions

On Jan. 3, 2020, a U.S. airstrike killed Maj. Gen. Qassem Soleimani of the Islamic Revolutionary Guard Corps (IRGC), reigniting tensions between the United States and Iran. Soleimani was a member of the IRGC’s Quds Force, a special operations unit of the IRGC that focuses on military intelligence and unconventional warfare. Days later, on Jan. 7, Iran responded with airstrikes on two bases housing U.S. forces in Iraq. Many presume that this relatively small kinetic response will be the end of Iran’s retaliatory operations.

However, on Jan. 6, just after the initial U.S. airstrike, the Cybersecurity and Infrastructure Security Agency (CISA) issued an alert warning the cybersecurity community of potential retaliatory actions by Iran and recommending proactive steps organizations should take to protect against a cyberattack. This alert expands on the June 2019 CISA statement and clearly indicates that U.S. intelligence agencies expect offensive Iranian security operations as retaliation.

Exposed Iranian cyberattacks

These concerns stem from a history of malicious cyberactivity attributed to Iranian forces, such as the distributed denial-of-service (DDoS) attacks against U.S. banks between 2011 and 2013 believed to be in retaliation for U.S.-imposed sanctions. In a 2013 intrusion on Bowman Avenue Dam in Rye Brook, New York, Iran demonstrated that its operators had the capability to compromise some industrial control systems of critical infrastructure in the United States.

In addition, on March 24, 2016, the U.S. District Court of the Southern District of New York indicted several Iranian hackers believed to be associated with the IRGC for their actions that targeted AT&T, multiple major U.S. financial institutions, NASDAQ, and the New York Stock Exchange.

On March 23, 2018, the U.S. Department of Justice indicted nine individuals associated with the Iran-based Mabna Institute and the IRGC for facilitating offensive security operations on “144 U.S. universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the U.S. Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.” In all, the Mabna hackers stole “more than 31 terabytes of academic data and intellectual property from universities, and email accounts of employees at private sector companies, government agencies, and non-governmental organizations.”

In yet another indictment, the U.S. Attorney’s Office for the Northern District of Georgia charged two Iranian citizens with the development and dissemination of the SamSam ransomware strain that wreaked havoc on the city of Atlanta’s information systems in March 2018.

It’s unclear whether similar attacks are currently being planned or executed, but many U.S. organizations have expressed concern about becoming a direct or indirect victim of an Iranian offensive security operation. Their concern is valid.

Threat modeling defined

Before trying to determine the likelihood of a nation-state adversary cyberattack on certain organizations or industries, it’s important to first understand threat modeling. Threat modeling is a proactive, methodical process of identifying, quantifying, and addressing threats to organizational assets. The goal of threat modeling is to allow system administrators to categorize threats based on their estimated likelihood of occurrence and corresponding impact to the organization.

More than a dozen established threat modeling approaches can be used to accomplish this goal, and it is up to organizations to determine which methodology best suits their needs. In general, most threat modeling methods incorporate threat actors, attack vectors, motivations, and detailed threat narratives into the process.

One of the oldest and most common methods of threat modeling is the simple attack tree, which is a visual tool to identify and qualitatively measure an adversary’s likelihood of attack based on the probability of success, the level of permissions or access needed, and the cost associated with the offensive operation. This method can be combined with or incorporated into other threat modeling methodologies, but it serves as a simple introduction to the threat modeling process.

One such use case for attack trees would be evaluating threat intelligence feeds and comparing that information with known vulnerabilities in an organization’s information security posture. For example, combining intelligence gathered from an organization’s security information and event management solution with results from a recent penetration assessment or risk assessment can help an organization estimate attack paths for specific assets. Administrators can then prioritize remediation plans or evaluate mitigating controls that can help reduce exposure and minimize fallout. Threat modeling is a useful tool in understanding which assets would be desirable to adversaries and how adversaries might try to compromise information systems.

Integrating threat modeling

By incorporating threat modeling into risk management processes, organizations can supplement other cybersecurity assessments to better understand how to secure their assets. Organizations should use these five steps to incorporate threat modeling into their information security programs:

  1. Comprehensive risk assessments, penetration assessments, and ongoing simulated phishing campaigns should be deployed to identify vulnerabilities in the current organizational security posture.
  2. Once vulnerabilities have been identified, organizations should apply threat modeling concepts to better understand which vulnerabilities pose the greatest risk toward their clients’, employees’, and users’ assets based on adversaries’ tactics, techniques, and procedures.
  3. After a comprehensive risk assessment has been performed, strategic road maps and remediation plans should be developed to track vulnerabilities until they are addressed.
  4. Periodically, incident response tabletop exercises and disaster recovery simulations should be executed to better prepare personnel to respond to information security incidents and to help make sure that reactive processes augment continuity and recovery operations.
  5. Organizations should continuously iterate through this process as people, technology, and processes change over periodic intervals and as significant implementation or migration projects occur.

While this exercise might seem trivial, it requires a thoughtful examination of which organizational assets adversaries or criminal groups might most want to compromise. In the DDoS attacks against U.S. banks, perpetrators simply wished to interrupt the availability of customer-facing websites to prevent legitimate business from being conducted rather than to compromise the banks’ financial data. Understanding what assets threat actors want to compromise and how they wish to compromise those assets helps inform the defensive strategies administrators should seek to implement.

Potential targets

Which organizations and industries might Iran or another nation-state adversary try to compromise? Military and intelligence organizations are the primary targets. However, compromising entities in the energy, transportation, public services, telecommunications, and critical manufacturing sectors could provide Iran (or other nation-state adversaries) with the capability to launch a staged attack in which an offensive security operation would be followed up by a more traditional military response.

For example, in 2018, U.S. intelligence officials noted that Iranian hackers had been probing the U.S. electricity grid in an attempt to identify vulnerabilities or crucial dependencies that could be used in a future attack. In December 2016, Russian operatives planted malware on the Ukrenergo (Ukraine’s national grid operator) network to sabotage the circuit breakers in an electric transmission station. The malware succeeded in throwing a fifth of the country into darkness for about an hour. This kind of attack on the North American power transmission grid would be devastating.

Additionally, as Iran has demonstrated in the past, targeting financial services institutions and healthcare providers easily disrupts life for many Americans. Attacking a financial services institution’s assets and resources can lead to the compromise of personally identifiable information, payment card information, and associated metadata that would expose confidential information, including social security numbers, bank account information, passwords, addresses, and spending habits. Similarly, launching a ransomware attack on a healthcare provider could lead to the compromise of protected health information, delayed treatment times, or total inaccessibility of crucial information systems.

Attribution: Who’s doing what?

The phrase “Correlation does not imply causation” is commonly used by statisticians to debunk the notion that just because two variables appear to have an association indicative of a cause-and-effect relationship does not mean that they do. Similarly, just because an incident or breach appears to be from an Iranian source does not mean that the source is in fact Iranian.

Experts suggest that other foreign adversaries such as North Korea or Russia might capitalize on the United States’ heightened sensitivity to Iranian cyberattacks by launching false-flag attacks that try to redirect attribution to Iran. This potentiality is supported by a joint advisory issued by the National Security Agency and the United Kingdom’s National Cyber Security Centre.

The agencies revealed that in 2019, Turla, a Russian criminal organization, compromised an Iranian hacking group known as OilRig and stole information, launched false-flag attacks, and masked its activity. According to the joint advisory, by compromising the Iranian hackers, Turla gained access not just to the “tactics, techniques and procedures” of the Iranian advanced persistent threat but to the “code needed to build versions of tools such as Neuron [Iranian malware] for use entirely independently of Iranian C2 [Command and Control] infrastructure.”

The danger is real and insidious. If a Russian or other nation-state bad actor can go beyond just imitating Iranian tactics, techniques, and procedures and seize control of their tools, intelligence, techniques, and victims, it will be difficult to determine whether an attack can be attributed to Iran.

Proactive steps

In the end, it’s unclear how, when, and where a foreign intelligence agency will conduct offensive security operations against U.S.-based organizations, but it’s only a matter of time before a security incident will take place. Organizations that take proactive steps such as threat modeling can better position themselves to handle whatever might come their way.