Wiper Malware Attacks by Iranian Threat Actors on the Rise According to DHS

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has released a warning after a rise in cyberattacks by ‘Iranian regime actors.’

The warning from Christopher C. Krebs came as tensions are mounting between the United States and Iran. Iran has been accused of planting magnetic mines to impact commercial shipping vessels negatively and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was in its territory.

The U.S. reacted with a planned air strike, although it was cancelled off by President Trump due to the likely loss of life. However, a strike did occur in cyberspace. The U.S. Cyber Command has reportedly initiated an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is thought to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to fire missiles and rockets.

Iranian threat actors have also been very active. There have been rising numbers of cyberattacks on United States industries and government agencies.

While cyberattacks can come in many shapes, Iranian threat actors have increased attacks using wiper malware. In addition to illegally taking data and money, the threat actors use the malware to wipe systems clean and take down entire networks.

Iran is one of three countries rated by the United States as having very capable threat actors involved in economic espionage and theft of trade secrets and proprietary data. Iranian hackers are more than capable of carrying out devastating cyberattacks. Iranian hackers were behind the SamSam ransomware attacks on healthcare orgaizations in the United States.

Wiper malware can be used to devastating effect such as the cyberattack on the Saudi Arabian oil firm Saudi Aramco in 2012. Shamoon wiper malware erased tens of thousands of computers. The financial damage caused by these wiper attacks is significant. In 2017, attacks using NotPetya wiper malware resulted in global financial losses of between $4 billion and $8 billion. The attack on the shipping firm Maersk lead to financial losses of around $300 million. Wiper malware attacks are also regular. According to a recent report by Carbon Black, 45% of healthcare CISOs have suffered a wiper malware attack in the past year.

The hackers may be highly capable, but they still use basic techniques and target common weaknesses to obtain access to networks. These include phishing and spear phishing, social engineering, password spraying, and credential stuffing.

All of these attack methods can be prevented with basic cybersecurity measures such as enforcing the use of strong passwords, changing all default passwords, rate limiting on logins, applying the rule of least privilege when setting permissions, putting in place multi-factor authentication, shutting down unused ports, disabling RDP, quick patching,  adopting a robust backup strategy, and giving security awareness training to employees.

Krebs released an alert that all U.S industries, government agencies, and businesses should be alert to the danger of cyberattacks. He stated: “If you suspect an incident, take it seriously and act quickly,” .