Iran Targets Western Companies with Cyber Attacks

Iran Cybersecurity Threat Update

In our March 1 blog on the unfolding Iran situation, we warned that the killing of the Supreme Leader of Iran, Ali Khamenei, and significant Iran Revolutionary Guard Corps (IRGC) leadership losses increased both the motivation and the likelihood of Iranian cyber retaliation. As military operations continue, we are now seeing this come to fruition:

• Michigan-based medical device manufacturer Stryker confirmed on March 11 that it had experienced a global disruption to its systems resulting from a cyberattack. News reports indicated that the logo of Handala, a hacker collective linked to Iran’s Ministry of Intelligence and Security, was visible on company login sites. The company believes the incident is contained, but the full scope and impact remains unclear as Stryker works to restore critical IT systems. Handala has claimed to have executed a wiper-ware attack by compromising the company’s Microsoft environment, which erased data from more than 200,000 company systems.

• While the Handala group has hacked other companies in the past, the group claimed that this specific attack was carried out in retaliation for the U.S. strike against the Minab school in Iran. They vow to continue attacks on “Zionist” corporations and leaders. Handala has also claimed to have leaked a Senior Israeli Airforce Military official’s information. As of 12 March, Handala is also claiming to have compromised the networks of Verifone, a global provider of payment transactions and point of sale systems, though Verifone has denied these claims.

• While not strictly cyber, separate news reporting indicated that the IRGC declared US-Israeli economic and banking interests in the region are legitimate targets, and also released a list of offices and infrastructure run by top U.S. companies whose technology has been used for military applications.

• Intel471 reported a surge in activity by hacktivist groups aligned to Iran and Russia, including both distributed denial service (DDoS) attacks and claims of cyber intrusions.

• Separately, Symantec reported that activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple unnamed U.S. companies. According to Symantec, a U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the targets.

• Iran has also reportedly made hundreds of attempts to hack security cameras of government and financial institutions in Israel and Gulf Countries. Attempts may have been an effort to assess the damage of Iranian missile strikes.

A recent report assesses that more than 60 Iranian APTs and hacktivist proxies can be expected to continue targeting U.S. and Israeli financial institutions, energy and water infrastructure, healthcare systems, defense contractors, transportation and logistics providers, telecom operators, and other targets of opportunity. Iran-affiliated actors have previously conducted Distributed Denial of Service (DDoS) campaigns, defaced websites, deployed wiper malware, launched hack-and-leak operations and used cyber operations to collect intelligence.

Known intrusion vectors include phishing, exploitation of unmanaged or poorly secured Internet-facing devices, valid account abuse, and “watering hole” attacks that compromise vendor websites and thereby infect users visiting these sites. CIOs and CISOs should treat this as an active threat requiring immediate attention.

Consider these mitigations

• Validate DDoS mitigation and website protection services.

• Identify and protect Operational Technology (OT) assets from the public internet, ensuring secure connectivity principles are applied.

• Harden remote access technologies such as virtual network computing, remote desktop protocol (RDP), Secure Shell Protocol (SSH), and web management interfaces.

• Use strong and unique passwords following NIST guidance; ensure weak or default passwords are eliminated from the enterprise.

• Implement phishing-resistant multi-factor authentication (MFA) wherever possible; track and limit exceptions to the greatest extent possible.

• Apply the manufacturer’s latest software patches for internet-facing systems to ensure protection against exploitation of known vulnerabilities. Monitor cyber threat intelligence sources including CISA’s Known Exploited Vulnerabilities (KEV) Catalog to help prioritize patching.

• Ensure deployment of Endpoint Detection & Response technologies wherever possible.

• Monitor user access logs for remote access to OT networks and for implementation of any firmware or configuration changes.

• Ensure business continuity (BC), disaster recovery (DR), and incident response (IR) plans are in place, including implementing full system and data backups to facilitate any recovery efforts. Validate BC/DR and IR Plans through tabletop exercises and live recovery testing.

The Chertoff Group helps organizations anticipate and respond to complex cybersecurity threats. Learn how our cybersecurity team can help you assess risk, protect critical assets and build resilience.