Ankura Cyber Threat Intelligence Bulletin

Home , Operation Ababil, Operation Olympic Games

ANKURA CYBER THREAT INTELLIGENCE BULLETIN

IRANIAN RETALIATORY OPTIONS & TACTICS, TECHNIQUES AND PROCEDURES (TTP)

JANUARY 13, 2020

TABLE OF CONTENTS

EXECUTIVE SUMMARY ...... 3

BACKGROUND ...... 3

SUGGESTED RESPONSE ...... 5

SUGGESTED TACTICAL ACTIONS ...... 5

APPENDIX A – IRANIAN THREAT GROUPS TRACKED BY CTAPT ...... 6

Page 2 | 6

EXECUTIVE SUMMARY

As a result of escalations in tensions in the Middle East, including the killing of Iran’s Quds Force leader and the recent cruise missile strike against Iraqi and US forces, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) assesses the likelihood of Iranian retaliatory actions in cyberspace as high. Iran’s history of carrying out destructive and disruptive cyber-attacks against the United States and its allies should serve as a forewarning to entities in the financial, critical infrastructure, and defense related industries. Furthermore, based upon reports that Iran-linked threat actors have begun targeting President Trump’s re-election efforts, CTAPT assesses that entities and individuals associated with President Trump’s 2020 campaign or the Republican party have a high likelihood of being targeted by sophisticated cyber espionage campaigns in the run-up to the November election. Ankura has assembled an overview of the threat and suggested response actions to consider as a result.

BACKGROUND

In response to the recent escalations in tensions between the United States and Iran, the Department of Homeland Security released a National Terrorism Advisory System Bulletin on January 4, 2020. Included in this bulletin was a warning that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States. Iran is capable at a minimum of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.1” This assessment coupled with Iran’s recent promise of retaliation for the killing of Maj. Gen. Qassem Soleimani warrants renewed attention to Iran’s capabilities. Based upon Iran’s history of carrying out destructive and disruptive cyber-attacks against the United States, its allies and interests abroad, Ankura assesses with high confidence that retaliatory campaigns against strategic political, financial, critical infrastructure, and defense related targets are likely imminent. In addition to organized state-sponsored strategic attacks, attack groups sympathetic to but not formally affiliated with Iran may also launch destructive campaigns against American interests and those of its allies.

It was originally perceived that Iran would fall back on its cyber capabilities in order to avoid large scale military confrontations with its neighbors in the Middle East and the United States, but the recent cruise missile strike against US and Iraqi forces has proven otherwise. However, further retaliation in the form of overt and destructive cyber strikes should not be ruled out. A prime example of Iran’s willingness and ability to launch a destructive attack against its adversaries occurred in August 2012 when the Shamoon (W32.DistTrack) virus was utilized to overwrite the master boot records of close to 30,000 workstations belonging to Saudi Aramco, rendering them useless2. The Shamoon attack was widely interpreted as an Iranian retaliation for Operation Olympic Games, believed to be a joint US/Israeli cyber attack which temporarily halted Iran’s nuclear weapons program3. A month later, Iranian actors carried out another successful campaign Operation Ababil, which successfully targeted economic targets across the United States, including Bank of America, JP Morgan Chase, Wells Fargo, and PNC Financial, by flooding servers with junk traffic, preventing users from accessing online banking. This attack, believed to have been carried out in response to

1 https://www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf 2 https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html 3 https://archive.nytimes.com/www.nytimes.com/interactive/2012/06/01/world/middleeast/how-a-secret-cyberwar-program-worked.html

Page 3 | 6

U.S. imposed economic sanctions, eventually resulted in seven (7) Islamic Revolutionary Guard Corps being indicted by the US Department of Justice in 2016 for their involvement4.

Ankura CTAPT also believes that sustained and sophisticated cyber espionage campaigns against political targets are very likely over the next several months. On October 4, 2019, Microsoft released a blog report revealing that Iranian nation-state actors began targeting President Trump’s re-election campaign. Over a 30-day period, Microsoft observed more than 2,700 attempts to identify and then compromise email accounts belonging to individuals associated with Trump’s 2020 bid, current and former US government officials, journalists covering global politics, and prominent Iranians living outside of Iran5. It is very possible that individuals and entities working on behalf of, or supporting, the Republican party could become a target of more aggressive espionage campaigns with the intended goal of dismantling the President’s re-election campaign.

Based on Iran’s past activities and current strategic priorities, Ankura assesses that the industry sectors most at risk of being targeted by a sophisticated, state-sponsored Iranian attack include the following:

• Energy/oil & gas • Defense industrial base • Public utilities • Public agencies • Financial services institutions • Federal agencies • Department of Defense • Political

Ankura’s Cybersecurity experts and focused CTAPT capability currently maintain operations to collect reactive and proactive intelligence pertaining to several state-sponsored Iranian threat groups whose mission is to conduct cyber exploitation activity against targets in the private sector (Appendix A). This intelligence is made available to our incident response teams as well as directly to our clients as needed. CTAPT also tracks dozens of other non-Iranian threat groups and actors who could be leveraged as Iranian proxies or even potentially exploit current tensions to launch false flag operations against US interests across the globe.

Additionally, the likelihood that other less sophisticated groups sponsored by and/or sympathetic to Iran may also launch independent attacks against American interests and allies suggests that organizations outside the key strategic industries listed above should also make efforts to assess and mitigate the risk of exploitation. Organizations and brands strongly identified with the United States should take extra precautions. Ankura tracks cyber threat actor groups known to be sympathetic to Iranian interests and is assisting clients in a wide range of industry sectors to evaluate their ability to prevent, detect and respond to the tactics and techniques known to be used by these adversaries. Enhancing defensibility against these less-sophisticated attackers is in large part a matter of assessing the effectiveness of existing controls and enhancing the maturity of an organization’s overall security posture and

4 https://www.forbes.com/sites/thomasbrewster/2016/03/24/iran-hackers-charged-bank-ddos-attacks-banks/#1312c8272551 5 https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/

Page 4 | 6

readiness to respond. Ankura will continue to offer this assistance around the clock to clients during this period of heightened risk.

As tensions escalate and alerting increases, it must be understood that Iranian cyber programs are constantly operating and enumerating future victims. Leveraging refined intelligence to bolster cyber hygiene and prevent future exploitation should be a constant priority for any entity. With the wealth of disparate threat intelligence available today, the challenge for many organizations is translating intelligence into action. To assist its clients in this effort, Ankura experts have analyzed available intelligence and created a list of specific mitigation activities to combat a potential Iranian threat activity in the next section.

SUGGESTED RESPONSE

To effectively defend against a future cyber campaign similar to those mentioned in this report, Ankura recommends, and can assist with, taking the following actions:

• Evaluate your organization’s risk profile as a target of Iranian state-sponsored groups through risk and threat assessments • Re-prioritize threat hunting activities and detection efforts on tactics and techniques known to be used by Iranian- affiliated groups • Revisit security control, resiliency, and recovery operations including incident response, vulnerability management, threat management, access control, and cyber intelligence feeds. • Update and re-validate Incident Response Checklists/Procedures

SUGGESTED TACTICAL ACTIONS

• Dynamic DNS domains are frequently used to evade IP-oriented blocking. Furthermore, threat groups such as APT33 leverage HTTP or HTTPS communications directly with an IP address to download additional payloads. It is recommended that clients create and monitor alerts to detect proxy communications to IP addresses lacking domain names • Enable the blocking of macro execution for Microsoft Office documents to prevent execution of embedded malcode • Enable monitoring of Outlook servers to identify evidence of suspicious redirects or unauthorized command execution • Enable multi-factor authentication to prevent the theft of legitimate credentials and to thwart the adversary’s ability to leverage tools such as SensePost’s RULER, which is designed to interact with Exchange servers to deliver exploits through Exchange’s legitimate features • Utilize high confidence Yara rules to identify recently deployed variants of wiper malware, such as Shamoon and Stonedrill • Initiate or revisit employee awareness training to educate end users on recent social engineering techniques being employed by nation-state actors during the reconnaissance and delivery phases of the cyber kill chain

Page 5 | 6

APPENDIX A – IRANIAN THREAT GROUPS TRACKED BY CTAPT

COMMON NAME ALIASES MALWARE

MAGIC HOUND APT33 Stonedrill, Shamoon 2.0

CHARMING KITTEN APT35, Phosphorus TurnedUp, ShapeShift, MacDownloader

OILRIG APT34 ISMdoor, Helminth, Clayside

GREENBUG Possibly associated with APT34 ISMdoor

CHAFER APT39 Remexi, Mimikatz, PsExec, RemCom

ROCKET KITTEN Saffron Rose GHOLE, CWoolger, FireMalv, Puppy Rat

COBALT DICKES Mabna Institute HTTrack

ABOUT US Ankura is a business advisory and expert services firm defined by HOW we solve challenges. Whether a client is facing an immediate business challenge, trying to increase the value of their company or protect against future risks, Ankura designs, develops, and executes tailored solutions by assembling the right combination of expertise. We build on this experience with every case, client, and situation, collaborating to create innovative, customized solutions, and strategies designed for today’s ever-changing business environment. This gives our clients unparalleled insight and experience across a wide range of economic, governance, and regulatory challenges. At Ankura, we know that collaboration drives results.

Page 6 | 6