Cyber Risks from 'Low-Skill' Actors: The Iranian Threat to Critical Infrastructure Bodies
Iran-affiliated cyber actors have been increasingly targeting U.S. defense networks, employing various tactics to disrupt operations and gather intelligence. These actors use sophisticated methods, such as phishing and AI-powered phishing campaigns, ransomware and wiper malware, Distributed Denial-of-Service (DDoS) attacks, Living-Off-The-Land (LOTL) techniques, and targeting critical infrastructure sectors like energy, healthcare, finance, transportation, and defense-related entities.
To mitigate these threats, DIB organizations can implement several defensive strategies. Prompt patching and updates for all internet-facing systems, including VPNs and other perimeter tools, are essential to prevent exploitation of known vulnerabilities. Implementing phishing-resistant multifactor authentication (MFA) offers additional protection against phishing attempts. Enhanced network segmentation, isolating OT and ICS systems from the public internet, can limit potential damage from cyberattacks. Regular employee awareness and training sessions help employees identify phishing attempts and understand legitimate IT processes for installing patches or updates. Comprehensive endpoint protection platforms can detect and block malware effectively. Human risk management programs, focusing on managing human-related risks, are also crucial.
In addition to these defensive strategies, proactive measures are necessary. Regularly monitoring network activity for anomalous behaviour can help identify potential breaches early. Collaboration with U.S. cybersecurity agencies can provide valuable guidance and updates on emerging threats. Conducting thorough security audits helps identify vulnerabilities before they can be exploited.
Social engineering plays a prominent role in Iranian cyber attacks, with groups like Peach Sandstorm impersonating recruiters for defense and aerospace firms. Iranian groups are known for aggressive credential harvesting campaigns, often targeting administrators, contractors, or external partners. The cyber threat landscape is not defined by sophistication alone, it's defined by impact, and Iranian actors have proven time and again that even so-called low-skill threats can deliver high-consequence outcomes.
Iran-affiliated cyber actors pose a persistent threat to the U.S. defense industrial base (DIB). Pro-Iranian hacktivists such as YareGomnam, Cyber Toufan, and Haghjoyan also pose threats. DIB organizations should focus on both perimeter hardening and internal resilience. Implementing geo-fencing or rate-limiting to block or throttle connections from known risky IP ranges can help mitigate threats. Supply chain compromise is another preferred tactic, with Iranian operators targeting third-party vendors as entry points into better-defended networks.
DDoS attacks by Iranian actors can knock key systems offline, causing downtime and cascading disruptions. Patching all internet-facing services aggressively, especially virtual private networks, remote monitoring and management tools, and firewalls, can help prevent successful DDoS attacks. Equipping the security operations center to detect brute-force attacks and requiring multi-factor authentication across the organization can further strengthen defenses. Mandatory security awareness and insider threat training must be enforced not just internally but across the subcontractor network.
Groups like Mercury, Holmium, Peach Sandstorm, CyberAv3ngers, and Soldiers of Solomon have targeted U.S. defense interests. Network segmentation is critical, limiting lateral movement, monitoring for abnormal PowerShell or Windows management instrumentation usage, and restricting the use of legacy login protocols can help prevent successful attacks. Deploying web application firewalls and ensuring protection against Layer 7 DDoS attacks can further enhance defenses.
By implementing these measures, DIB organizations can strengthen their defenses against Iranian-affiliated cyber threats. It is crucial to maintain secure, tested backups and clear recovery time objectives, as the most dangerous tactic remains the use of wiper malware, such as ZeroCleare and Dustman, which can destroy systems and data.
- To bolster defenses against sophisticated cyberattacks like those from Iranian groups, DIB organizations should consider remote work security by implementing strong encryption for VPNs and promoting the use of phishing-resistant multifactor authentication for employees working remotely.
- In the context of cybersecurity, the increase in remote work demands attention to technology-related factors, such as maintaining up-to-date endpoint protection platforms that can effectively detect and block malware – a critical aspect in fending off Iranian-affiliated cyber threats.
