State and Local Governments Face Iranian Hacking Threats

U.S. state and local governments and critical infrastructure operators are on high alert for cyberattacks following recent events in Iraq and Iran.

by / January 11, 2020

On the first Monday of 2020, CNBC reported that “city governments, agencies and companies from coast to coast are on high alert for ramped up cyber activity possibly emanating from Iran. …”

And that was just the start of a week full of dramatic announcements related to international relations and cyberthreats emanating from all over the Middle East, and specifically Iran, against U.S. public- and private-sector targets.

Here’s a quick roundup after the fast-moving global hacking situation, which threatens to impact state and local governments and U.S. critical infrastructure:

CNN Business: Hacking attempts originating in Iran nearly triple following Soleimani strike, researchers say — Excerpt: “Soon after the strike that killed Soleimani, Iran-based attempts to hack federal, state and local government websites jumped 50% — and then continued to accelerate, said network security company Cloudflare.

Over the course of 48 hours, attacks traced to Iranian IP addresses nearly tripled against targets around the world, Cloudflare said, peaking at half a billion attempts per day. …                                                                              

Texas officials said Tuesday that the state's computer systems were being scanned as often as 10,000 times per minute. "We absolutely saw an increase in activity that needed to be blocked from Iran," said Amanda Crawford, executive director of the Texas Department of Information Resources, in an interview with CNN.

Separately, websites belonging to the Texas Department of Agriculture and an Alabama veterans' group were defaced this week with an image of Soleimani. The image was accompanied by a message: "Hacked by Iranian hacker. …"

ZDNet: These hacking groups are eyeing power grids, says security company — Excerpt: “At least three hacking groups have the capability to interfere with or disrupt power grids across the US — and the number of cyber-criminal operations targeting electricity and other utilities is on the rise, according to a new report on the state of industrial control systems.

Cyber security company Dragos said that political and military tensions in the Gulf appear to coincide with a rise in interest in hacking groups targeting electricity grids, power companies and other systems related to utilities in the US.

Wired: Iranian Hackers Have Been ‘Password-Spraying’ the US Grid — Excerpt: “In the wake of the US assassination of Iranian general Qasem Soleimani and the retaliatory missile strike that followed, Iran-watchers have warned that the country could deploy cyberattacks as well, perhaps even targeting US critical infrastructure like the electric grid. A new report lends some fresh details to the nature of that threat: By all appearances, Iranian hackers don't currently have the capability to start causing blackouts in the US. But they’ve been working to gain access to American electric utilities, long before tensions between the two countries came to a head.”

TheVerge: Teen hackers are defacing unsuspecting US websites with pro-Iran messages — Excerpt: “Phil Openshaw, a retired California dentist, hadn’t checked his website in months. So he was unaware that it no longer displayed details for his annual mission trip that provides free dental services in Uganda. Instead, it displayed a photo of recently assassinated Iranian Gen. Qassem Soleimani with the message ‘Down with America.’”

Forbes (UK spelling): Iran’s ‘Critical’ Cyberattack Threat: This Is What Is Really Happening Right Now — Excerpt: “A week on from the U.S. killing of Iran’s Qassem Suleimani on January 3, media warnings around the cyber threat now facing the U.S. and its allies show no signs of diminishing. On January 8, the New York Times warned that even as “Iran’s military response maybe ‘concluded,’ [the] cyberwarfare threat grows,” and, a day later, the Wall Street Journal that the “threat of cyberattack by Iran [is] still critical.

In the week since Suleimani, there have been around 35 organisations attacked by cyber offensives “specifically traced” to Iran’s state-sponsored hacking groups. Around 17% of those targets were in the U.S., a further 7% were in Israel. …

Beyond the noisy nuisance attacks—website defacements and denials of service, there are two genuine concerns. First, that a state-sponsored attack might be mounted against critical infrastructure targets—energy, transportation, finance. And, second, that a raft of commercial organisations in the U.S. and elsewhere will see concerted attacks on data and systems, to steal or destroy. But, one week on, it seems eerily quiet. Is this the calm before the storm or has the danger passed, with the same downgraded response as in the physical realm as Iran holds fire for fear of reprisals?”

WPDE.com: How local governments are preparing in the case of an Iranian cyber attack — Excerpt: “On Tuesday evening, South Carolina Governor Henry McMaster tweeted that he was directing state government IT leaders to "redouble efforts to aggressively search out, identify and repel any potential cyber attacks or malicious technological intrusions into our state agencies."

This came after Texas Gov. Greg Abott claimed that Iran had attempted to attack state firewalls up to 10,000 times per minute over the span of just 48 hours.

How likely is it that Iran would attempt a cyberattack on the Grand Strand or Pee Dee?

Jeff Leveille, the IT Manager for the City of Conway, said in the digital age, anyone is a potential target. …”

Iranian Tensions Rise Further After Tragic Mistake Shooting Down Commercial Plane   

On Saturday morning, and after three days of denials, the Iranian government admitted that they unintentionally shot down Ukraine International Airlines flight PS752 and killing all 176 people on board.

According to the BBC (UK Spelling): “An investigation found that ‘missiles fired due to human error,’ President Hassan Rouhani said. He described the crash as an ‘unforgivable mistake.’

The military said the jet turned towards a sensitive site belonging to Iran's Revolutionary Guards and was then mistaken for a cruise missile. …

Iran initially denied reports that one of its missiles had brought down the Ukrainian plane near the capital, Tehran. But pressure quickly mounted after Western intelligence officials said evidence pointed to Iranian involvement. …

The military apologised for downing the plane, saying it would upgrade its systems to prevent such "mistakes" in the future. It added that those responsible would be held accountable and prosecuted. …

Foreign Minister Javad Zarif apologised to the families of the victims but laid part of the blame on the US. ‘Human error at a time of crisis caused by US adventurism led to [this] disaster," he said. …’”

Most experts believe that a halt (at least temporarily) to physical attacks between the U.S and Iran may actual make cyberattacks more likely. Many consider hacking and the types of cyberattacks listed above, including ransomware, to be less consequential and more difficult to prove attribution. Also, third party proxy groups working with Iranian military forces or others in the region, may take action in the form of cyberattacks.  

(That is, the downing of a plane with missiles and other military attacks can be verified in multiple ways, while various cyberattacks are considered to be more complex and more difficult to prove to the media, global governments and the public.)   

Indeed, the NY Times and other media outlets articulate why they fear cyberwarefare threats against the U.S. will grow further with Iran.  

“Cybersecurity experts and government officials are already monitoring an uptick of malicious activity by pro-Iranian hackers and social media users that they believe are harbingers of more serious computer attacks from Tehran, including possible efforts aimed at destroying government databases.

‘Iran has the capability and the tendency to launch destructive attacks,’ said Christopher C. Krebs, the director of the Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security’s computer security arm. ‘You need to get in the head space that the next breach could be your last. …’

The public should be prepared for worse, Krebs said in an interview. Iran has the ability to not only access private-sector and government computers in the United States, but to ‘burn down the system,’ he said.”

Government Actions Required

The Multi-State Information Sharing & Analysis Center (MS-ISAC) raised its cyber threat alert level to blue (guarded) on Tuesday.

“MS-ISAC evaluated the current situation and took the action after the U.S. Department of Homeland Security released a National Terrorism Advisory System Bulletin on Monday  detailing Iran's cyber program and how the country can execute effective cyberattacks against the United States. …

The MS-ISAC encourages all United States state, local, tribal, and territorial government entities to share any relevant threat information with the MS-ISAC SOC,” the organization said. “Organizations and users are advised to update and apply all appropriate vendor security patches to external vulnerable systems and to continue to update their antivirus signatures daily. Another line of defense includes user awareness training regarding the threats posed by attachments and hypertext links contained in emails especially from untrusted sources.”

Also, the cybersecurity community from energy to healthcare should prepare for a virtual strike from Iran by taking several technical actions “that will likely have the highest return on investment,” the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said in a Monday alert.

CISA encourages reporting any suspicious activity, including cybersecurity incidents, possible malicious code, software vulnerabilities, and phishing-related scams, at http://www.us-cert.gov/.

Final Thoughts

This is not the first time this topic of Iranian hackers has come up in this blog, and I am sure it will not be the last.

Back in 2012, Iranian hackers were blamed for massive new cyberattacks.

Last October, this headline from the Financial Times received plenty of attention: Russian cyberattack unit ‘masqueraded’ as Iranian hackers, UK says.

I also really like this CNBC analysis, which says Ex-CIA officer sees Iran doing ‘hit-and-run’ cyberattacks — ‘They don’t want us to retaliate’ Quote:

“A former CIA officer told CNBC on Thursday that it’s likely Iran will carry out small-scale cyberattacks to avoid U.S. retaliation.

‘They perfectly understand that the U.S. is very powerful and isn’t going to tolerate a catastrophic attack,’ said Carol Rollie Flynn, former executive director of the CIA Counterterrorism Center.”

My view: We all need to be ready with improved cyberdefenses. The world is getting smaller all the time, and the line between military and civilian targets is shrinking — especially in cyberspace.   

Platforms & Programs