FireEye Response to Mounting U.S.-Iran Tensions: Preparing for Possible Iranian Cyber Attacks

FireEye Response to Ongoing U.S.-Iran Tensions

In response to the ongoing events surrounding a potential retaliatory cyber attack from Iran stemming from the recent death of Quds Force leader Qasem Soleimani by U.S. forces and the potential risk it presents to FireEye customers, FireEye has initiated a Community Protection Event (CPE). A CPE is a coordinated effort between FireEye Managed Defense, FireEye Mandiant incident responders, FireEye Threat Intelligence and FireEye product teams to ensure our customers are provided with the most recent information and actionable data, suggested detection and mitigation responses, and other information related to the potential escalating threat from Iran-nexus groups. This includes recent targeting activities from Iran-nexus threat actors, including APT33, APT34, APT35, TEMP.Zagros and other tracked clusters of activity.

Potential for Cyber Attacks

While the timing and targets of a retaliatory response are uncertain, we believe it could include a cyber component. We anticipate any activity could include cyber espionage intrusions as well as disruptive and destructive cyber attacks. Media outlets have already reported on multiple defacements to U.S. websites, though we cannot connect this activity to Iranian state actors.

Though the threat of military conflict appears to now be decreasing, Iran may still use its cyber capabilities in response to new economic sanctions. Cyber attack is an asymmetric tool that Iran uses primarily to impose economic costs, in a manner similar to other operations such as the mining of seaways. Destructive attacks on critical infrastructure, such as those preferred by Iranian actors, can have reverberating effects across the economy and society, and can cost billions of dollars.

Actors sponsored by the Iranian state have a history of destructive and disruptive attacks within the U.S., though they refocused their activity following the nuclear agreement on the Middle Eastern region. Within that region, several Iranian actors whom FireEye tracks have remained active and aggressive. Though many of these actors have matured and become increasingly capable, their consistent activity has allowed FireEye to develop significant intelligence on their motives, TTPs, and other aspects of their operations which are valuable advantages for defenders. We will discuss some of these insights during our upcoming webinar and more are available in the linked pieces.

Mitigations

At risk organizations should prioritize detection of the initial stages of intrusions and implement mitigations against previously observed techniques by Iranian groups:

• Password spraying
• VPN vulnerability
• RULER and exploiting CVE-2017-11774
• DNS hijacking
• Spear phishing
• Social engineering on social media platforms
• Lateral movement to operational technology (OT) DMZ

Verodin products can help companies automatically validate these mitigations in their environments.

We will discuss these techniques and mitigations during our upcoming webinar.

Keeping the Community Informed

As part of our efforts to keep the global security community informed, FireEye hosted a public webinar on Monday, Jan. 13, 2020. Watch today to learn more about the threat landscape in Iran, tactics used by Iranian threat actors, and mitigation strategies.

Additional Information

FireEye has been tracking Iranian threat operations since 2012. Learn more from our Iran-centric blog posts, webinars, and recent media highlights:

Reports

• Suspected Iranian Influence Operation: Leveraging Inauthentic News Sites and Social Media Aimed at U.S., U.K., Other Audiences

Blog Posts

• Sept. 20, 2017: Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware
• Dec. 07, 2017: New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit
• March 13, 2018: Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign
• Aug. 21, 2018: Suspected Iranian Influence Operation Leverages Network of Inauthentic News Sites & Social Media Targeting Audiences in U.S., UK, Latin America, Middle East
• Dec. 21, 2018: OVERRULED: Containing a Potentially Destructive Adversary
• Jan. 10, 2019: Global DNS Hijacking Campaign: DNS Record Manipulation at Scale
• Jan. 29, 2019: APT39: An Iranian Cyber Espionage Group Focused on Personal Information
• May 28, 2019: Network of Social Media Accounts Impersonates U.S. Political Candidates, Leverages U.S. and Israeli Media in Support of Iranian Interests
• July 18, 2019: Hard Pass: Declining APT34’s Invite to Join Their Professional Network
• Dec. 04, 2019: Breaking the Rules: A Tough Outlook for Home Page Attacks (CVE-2017-11774)

Advanced Persistent Threat Groups

• Who's who of cyber threat actors

Public Webinars

• APT33: New Insights into Iranian Cyber Espionage Group
• APT34 - New Targeted Attack in the Middle East

Recent Media Highlights

• Bloomberg (Jan. 6, 2020): U.S. Braces for Iran Cyber-Retaliation
• BBC The World Radio (Jan. 7, 2020): US companies, government brace from cyberattacks from Iran
• TechRadar (Jan. 8, 2020): Iran to retaliate for Suleimani’s killing with disruptive and destructive attacks
• CNN (Jan. 8, 2020): Iran's Cyber Threat to the US
• Fortune (Jan. 8, 2020): Missile Strike vs. Cyberattack: How Iran Retaliates

Learn more about how FireEye Threat Intelligence can help protect your organization.