Will this time be different? The threat of Iranian state-sponsored cyberattacks remains a pressing concern, particularly as the situation in the Middle East continues to unfold. A ceasefire does not necessarily mean activity will not continue in cyberspace—as an example, leaders do not necessarily control the holdouts, and deeply rooted historical influences can yield substantial risk. It is time for organizations to discuss what is at stake, consider potential impacts, and elevate their state of readiness so they are prepared should these threats materialize.

The near-term risk from Iran revolves around its historical use of wiper malware and data encryption tactics to create effects on its targets. To achieve near term goals, Iran is most likely to use one or both to deliver immediate destructive effects for propaganda use and for disruptive outcomes.

Relevant Threat Actors and Their Tactics

At this stage, it is helpful to focus on the Iranian cyber groups that specialize in destructive activities. One example includes the Handala Hack Team positions itself as a hacktivist group backing Pro-Iranian, Pro-Palestinian, anti-Israeli, and anti-Western operations to provide general support for disruption effects targeting their perceived enemies. The Handala Hack Team is part of the “Holy League,” a coalition of Middle East based hacktivist cells that work in tandem to target Israeli and NATO aligned entities. Handala utilizes a myriad of tactics, techniques, and procedures (TTPs), specifically around their initial intrusion methodology, which primarily hinges around the use of phishing and smishing. Handala has been known to utilize various types of ransomware, such as MedusaLocker, Lockbit, and Kairos. However, their usage of a custom wiper, Handala Wiper, works to destroy file systems across the environment, including system files and registry information. Motivation for these tactics include making it as difficult as possible to recover from a Handala attack.

Another threat to note is the Iranian State actors who survived the bombings and assassinations that occurred during the “12 Day War.” Iranian anti-American sentiment has been ingrained in the population since 1979, with “Death to America” becoming a popular rallying cry. Even if the Iranian government agrees to a formal ceasefire, participate in diplomacy, and end the conflict, it is worth considering that holdouts may attempt to scuttle diplomatic efforts with both destructive kinetic and cyberspace attacks. Russia’s recent promise to support Iran’s regime could also manifest in assistance to Iranian State Actors as they work to counter US and NATO interests going forward. For this reason, it is prudent for US companies to review their risk profile and confirm defenses against typical Iranian TTPs are as fortified and through as they can be.

Actionable Cybersecurity Recommendations

Organizations should consider the following steps to safeguard their systems:

• Review recent penetration tests results and cybersecurity audits to ensure any vulnerabilities that were identified are being addressed. For mitigations that have been identified but not actioned, consider prioritizing those, especially if related to Exchange and Fortinet.
• Review recent reporting on Iranian group tactics and ensure your security stack is alerting to RDAT, SideTwist, and VALUEVAULT malware. Note that they use .NET tools, PowerShell scripts, and IIS-based malware. They are known to use custom DNS tunneling for exfiltration and control. Ensure that alerting tooling will hit on passive IIS backdoors and custom webshells to include Alma Communicator, BONDUPDATER, certutil, Clayslide, DistTrack, DNSExfiltrator, DNSpionage, Dustman, Fox Pane, GoogleDrive RAT, and Helminth exploits.
• Due to wiper and encryption threats, consider increasing backup cadence for key resources.
• Conduct proactive threat hunting activities to proactively look for known indicators: Anonymous RDP, MSI Installers on devices, Screen connect etc.
• Remind system users that during times of heightened global tensions, they should be on guard for exploitation attempts that include threat actor attempts to get them to click on links, as well as to be aware threat actors are calling employees on the phone and masquerading as IT help desk. Remind them of normal corporate and IT contact procedures and to report anything out of the ordinary.
• Confirm patching program hygiene.
• Audit and remove, where possible, contact data and email addresses on web pages, specifically for executives and other high-ranking personnel. If removing contact data is not feasible, seek specific training to defend executives. Threat actors have recently targeted higher positioned executives for social engineering due to previous successes exploiting those who are perceived as “less savvy” and “less trained” senior-level employees.

Conclusion

The threat of Iranian state-aligned cyberattacks is significant, especially if the current regime remains in power. The regime has clearly signaled defiance, and Russia has come online with non-specific offers of assistance. The veracity and impact of that response will depend on many factors. At a minimum, organizations should anticipate some form of destructive cyberspace enabled attack, even if Iranian leadership signals agreement to a cease fire or other diplomatic efforts.

The threats to the west are many decades old and many who remain in Iran may still do all they can to cause harm. In response, US companies must ensure basic cybersecurity hygiene is reviewed and that their security stack is tuned to identify Iranian TTPs, including the latest wiper and encryption families of malware.

Evan Kelly, a Consultant at StoneTurn, is a co-author of this article.

If you have any questions or would like to discuss this topic please reach out to Daron Hartvigsen or Martin Narciso.

To receive StoneTurn Insights, sign up for our newsletter.