Ankura Cyber Threat Intelligence Bulletin

Ankura Cyber Threat Intelligence Bulletin

ANKURA CYBER THREAT INTELLIGENCE BULLETIN IRANIAN RETALIATORY OPTIONS & TACTICS, TECHNIQUES AND PROCEDURES (TTP) JANUARY 13, 2020 TABLE OF CONTENTS EXECUTIVE SUMMARY ................................................................................. 3 BACKGROUND .............................................................................................. 3 SUGGESTED RESPONSE ................................................................................ 5 SUGGESTED TACTICAL ACTIONS ................................................................... 5 APPENDIX A – IRANIAN THREAT GROUPS TRACKED BY CTAPT ..................... 6 Page 2 | 6 EXECUTIVE SUMMARY As a result of escalations in tensions in the Middle East, including the killing of Iran’s Quds Force leader and the recent cruise missile strike against Iraqi and US forces, Ankura’s Cyber Threat Analysis and Pursuit Team (CTAPT) assesses the likelihood of Iranian retaliatory actions in cyberspace as high. Iran’s history of carrying out destructive and disruptive cyber-attacks against the United States and its allies should serve as a forewarning to entities in the financial, critical infrastructure, and defense related industries. Furthermore, based upon reports that Iran-linked threat actors have begun targeting President Trump’s re-election efforts, CTAPT assesses that entities and individuals associated with President Trump’s 2020 campaign or the Republican party have a high likelihood of being targeted by sophisticated cyber espionage campaigns in the run-up to the November election. Ankura has assembled an overview of the threat and suggested response actions to consider as a result. BACKGROUND In response to the recent escalations in tensions between the United States and Iran, the Department of Homeland Security released a National Terrorism Advisory System Bulletin on January 4, 2020. Included in this bulletin was a warning that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States. Iran is capable at a minimum of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.1” This assessment coupled with Iran’s recent promise of retaliation for the killing of Maj. Gen. Qassem Soleimani warrants renewed attention to Iran’s capabilities. Based upon Iran’s history of carrying out destructive and disruptive cyber-attacks against the United States, its allies and interests abroad, Ankura assesses with high confidence that retaliatory campaigns against strategic political, financial, critical infrastructure, and defense related targets are likely imminent. In addition to organized state-sponsored strategic attacks, attack groups sympathetic to but not formally affiliated with Iran may also launch destructive campaigns against American interests and those of its allies. It was originally perceived that Iran would fall back on its cyber capabilities in order to avoid large scale military confrontations with its neighbors in the Middle East and the United States, but the recent cruise missile strike against US and Iraqi forces has proven otherwise. However, further retaliation in the form of overt and destructive cyber strikes should not be ruled out. A prime example of Iran’s willingness and ability to launch a destructive attack against its adversaries occurred in August 2012 when the Shamoon (W32.DistTrack) virus was utilized to overwrite the master boot records of close to 30,000 workstations belonging to Saudi Aramco, rendering them useless2. The Shamoon attack was widely interpreted as an Iranian retaliation for Operation Olympic Games, believed to be a joint US/Israeli cyber attack which temporarily halted Iran’s nuclear weapons program3. A month later, Iranian actors carried out another successful campaign Operation Ababil, which successfully targeted economic targets across the United States, including Bank of America, JP Morgan Chase, Wells Fargo, and PNC Financial, by flooding servers with junk traffic, preventing users from accessing online banking. This attack, believed to have been carried out in response to 1 https://www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf 2 https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html 3 https://archive.nytimes.com/www.nytimes.com/interactive/2012/06/01/world/middleeast/how-a-secret-cyberwar-program-worked.html Page 3 | 6 U.S. imposed economic sanctions, eventually resulted in seven (7) Islamic Revolutionary Guard Corps being indicted by the US Department of Justice in 2016 for their involvement4. Ankura CTAPT also believes that sustained and sophisticated cyber espionage campaigns against political targets are very likely over the next several months. On October 4, 2019, Microsoft released a blog report revealing that Iranian nation-state actors began targeting President Trump’s re-election campaign. Over a 30-day period, Microsoft observed more than 2,700 attempts to identify and then compromise email accounts belonging to individuals associated with Trump’s 2020 bid, current and former US government officials, journalists covering global politics, and prominent Iranians living outside of Iran5. It is very possible that individuals and entities working on behalf of, or supporting, the Republican party could become a target of more aggressive espionage campaigns with the intended goal of dismantling the President’s re-election campaign. Based on Iran’s past activities and current strategic priorities, Ankura assesses that the industry sectors most at risk of being targeted by a sophisticated, state-sponsored Iranian attack include the following: • Energy/oil & gas • Defense industrial base • Public utilities • Public agencies • Financial services institutions • Federal agencies • Department of Defense • Political Ankura’s Cybersecurity experts and focused CTAPT capability currently maintain operations to collect reactive and proactive intelligence pertaining to several state-sponsored Iranian threat groups whose mission is to conduct cyber exploitation activity against targets in the private sector (Appendix A). This intelligence is made available to our incident response teams as well as directly to our clients as needed. CTAPT also tracks dozens of other non-Iranian threat groups and actors who could be leveraged as Iranian proxies or even potentially exploit current tensions to launch false flag operations against US interests across the globe. Additionally, the likelihood that other less sophisticated groups sponsored by and/or sympathetic to Iran may also launch independent attacks against American interests and allies suggests that organizations outside the key strategic industries listed above should also make efforts to assess and mitigate the risk of exploitation. Organizations and brands strongly identified with the United States should take extra precautions. Ankura tracks cyber threat actor groups known to be sympathetic to Iranian interests and is assisting clients in a wide range of industry sectors to evaluate their ability to prevent, detect and respond to the tactics and techniques known to be used by these adversaries. Enhancing defensibility against these less-sophisticated attackers is in large part a matter of assessing the effectiveness of existing controls and enhancing the maturity of an organization’s overall security posture and 4 https://www.forbes.com/sites/thomasbrewster/2016/03/24/iran-hackers-charged-bank-ddos-attacks-banks/#1312c8272551 5 https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/ Page 4 | 6 readiness to respond. Ankura will continue to offer this assistance around the clock to clients during this period of heightened risk. As tensions escalate and alerting increases, it must be understood that Iranian cyber programs are constantly operating and enumerating future victims. Leveraging refined intelligence to bolster cyber hygiene and prevent future exploitation should be a constant priority for any entity. With the wealth of disparate threat intelligence available today, the challenge for many organizations is translating intelligence into action. To assist its clients in this effort, Ankura experts have analyzed available intelligence and created a list of specific mitigation activities to combat a potential Iranian threat activity in the next section. SUGGESTED RESPONSE To effectively defend against a future cyber campaign similar to those mentioned in this report, Ankura recommends, and can assist with, taking the following actions: • Evaluate your organization’s risk profile as a target of Iranian state-sponsored groups through risk and threat assessments • Re-prioritize threat hunting activities and detection efforts on tactics and techniques known to be used by Iranian- affiliated groups • Revisit security control, resiliency, and recovery operations including incident response, vulnerability management, threat management, access control, and cyber intelligence feeds. • Update and re-validate Incident Response Checklists/Procedures SUGGESTED TACTICAL ACTIONS • Dynamic DNS domains are frequently used to evade IP-oriented blocking. Furthermore, threat groups such as APT33 leverage HTTP or HTTPS communications directly with an IP address to download additional payloads. It is recommended that clients create and monitor alerts to detect proxy communications to IP addresses lacking domain names • Enable the blocking of macro execution for Microsoft Office documents to prevent

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    6 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us