FBI: Iran to Launch New Cyber Attacks

Iranian hackers poised for wide-ranging strikes in retaliation for U.S. leaving nuclear deal

Iran cybercafe
Getty Images
May 24, 2018

The FBI is warning that Iranian hackers could conduct new cyber attacks on American businesses and government networks in response to the Trump administration's withdrawal from the Iran nuclear deal.

"The FBI assesses foreign cyber actors operating in the Islamic Republic of Iran could potentially use a range of computer network operations—from scanning networks for potential vulnerabilities to data deletion attacks—against U.S.-based networks in response to the U.S. government’s withdrawal from the Joint Comprehensive Plan of Action (JCPOA)," the FBI said in a cyber alert to U.S. businesses.

Previous Iranian cyber attacks were carried out against targets in the United States in retaliation for "perceived slights against the regime," the May 22 notice states.

The FBI warned that Iranian hackers may view the U.S. withdrawal from the Iran deal as justification for stepped up cyber attacks.

The warning noted that between December 2011 and August 2013 two organizations linked to the Iranian government carried out large-scale distributed denial of service, or DDOS, attacks on U.S. financial institutions' websites in retaliation for U.S. sanctions that squeezed the Iranian economic.

Then in 2014, Iranian hackers broke into networks of the Sands Casino in Las Vegas and destroyed computers in retaliation for anti-Iranian government comments made by the casino's owner Sheldon Adelson.

"From 2016 to 2017, malicious Iranian cyber actors conducted coordinated and broadly targeted intrusion campaigns against U.S. companies, academic institutions, and government entities," the FBI said. "The FBI encourages U.S. companies to report suspicious network activities to local FBI offices or FBI CyWatch."

The FBI report included a chart listing specific methods used by Iranian hackers in conducting cyber attacks on the computer networks of academic institutions, commercial businesses, financial institutions, and the government.

For its cyber activities against academic institutions, the Iranians have used spear-phishing—the use of fraudulent emails to gain access to networks—as well as "password spray" attacks. Both methods allow hackers to gain access to networks without triggering alarms.

A password spray is a method of breaking into computers using a username and the use of a few passwords that seeks to avoid the lock out feature now used by most login software.

The Iranians gained confidential information and proprietary data from the schools and universities.

In the commercial sector, spear-phishing was the main method and "gave actors the access to wipe hard drives," the FBI said.

During financial sector hacks, DDOS attacks blocked customers from accessing financial websites and disrupted businesses.

Government cyber attacks included the use of spear-phishing and password spray hacks to obtain confidential information.

Iranian cyber attacks have increased in sophistication in recent years, beginning with web defacements of banks and progressing through data theft and wiping hard drives, like the Sands Casino attack.

Recently, Iranian cyber attacks also have focused on efforts to disrupt U.S. critical infrastructure.

In March 2016, a federal grand jury indicted seven Iranians on charges of conducting cyber attacks against the United States. The indictment identified two Iran government-linked hacker groups behind a series of cyber attacks, the ITSec Team and the Mersad Company.

The two entities were blamed for an Iranian cyber attack on the control network used by the Bowman Dam near Rye, N.Y. The attack failed because the dam's network had been taken down for maintenance.

A top-secret National Security Agency document from 2013 said "Iran continues to conduct distributed denial of service attacks against numerous U.S. financial institutions."

"[Signals intelligence] indicates these attacks are in retaliation to Western activities against Iran's nuclear sector and that senior officials of the Iranian government are aware of these attacks," says the report, made public by renegade NSA contractor Edward Snowden.

"NSA expects say Iran will continue this series of attacks, which it views as successful, while striving for increased effectiveness by adapting its tactics and techniquest to circumvent victim mitigation attempts."

The report also said Iran was behind the cyber attack on the Saudi national oil company Aramco in August 2012 that destroyed tens of thousands of computers.

NSA warned that a similar Iranian attack on the United States could not be ruled out.

The FBI recommended educating personnel on hackers' methods and tools and avoiding clicks on malicious links.

Network administrators were urged to create a dedicated information technology email account to report suspicious emails.

A report by the State Department-led Overseas Security Advisory Council warned that Iranian cyber capabilities are growing.

"Previous high-profile incidents have propelled Iran's standing from low-level cyber threat to capable adversary," the 2015 report said.

"Iranian hackers have been suspected in multiple incidents that inflicted damage on various entities in the private sector, including finance and energy firms. Current analysis indicates Iran may intend to use its growing cyber force to attack global critical infrastructure."

Targets have included U.S. government personnel involved in arms nonproliferation and wiper malware on the Sands, as well as an attack on the Marine Corps' intranet. An Iranian activity known as Operation Cleaver in 2014 targeted global infrastructures in multiple industries.

Iranian cyber attacks on institutions

Published under: Iran , Iran Nuclear Deal