DHS Warns of Increasing Risk of Wiper Malware Attacks by Iranian Threat Actors

The Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning following a rise in cyberattacks by ‘Iranian regime actors.’

The warning from Christopher C. Krebs came as tensions are building between the United States and Iran. Iran has been accused of planting magnetic mines to damage commercial shipping vessels and a U.S. surveillance drone was shot as it flew over the Strait of Hormuz. Iran claims the drone was flying in its territory.

The U.S. responded with a planned air strike, although it was called off by President Trump due to the likely loss of life. However, a strike did take place in cyberspace. The U.S. Cyber Command has reportedly launched an attack on an Iranian spying group, Islamic Revolutionary Guard Corps, that is believed to have been involved in the mine laying operation. According to a recent report in the Washington Post, the cyberattacks disabled the command and control system that was used to launch missiles and rockets.

Iranian threat actors have also been highly active. There have been increasing numbers of cyberattacks on United States industries and government agencies.

While cyberattacks can take many forms, Iranian threat actors have increased attacks using wiper malware. In addition to stealing data and money, the threat actors use the malware to wipe systems clean and take down entire networks.

Iran is one of three countries rated by the United States as having highly capable threat actors involved in economic espionage and theft of trade secrets and proprietary data. Iranian hackers are more than capable of conducting devastating cyberattacks. Iranian hackers were behind the SamSam ransomware attacks on healthcare providers in the United States.

Wiper malware can be used to devastating effect such as the cyberattack on the Saudi Arabian oil firm Saudi Aramco in 2012. Shamoon wiper malware wiped tens of thousands of computers. The financial harm caused by these wiper attacks is considerable. In 2017, attacks using NotPetya wiper malware resulted in global financial losses of between $4 billion and $8 billion. The attack on the shipping firm Maersk resulted in losses of around $300 million. Wiper malware attacks are also common. According to a recent report by Carbon Black, 45% of healthcare CISOs have experienced a wiper malware attack in the past 12 months.

The hackers may be highly capable, but they still use basic techniques and exploit common weaknesses to gain access to networks. These include phishing and spear phishing, social engineering, password spraying, and credential stuffing.

All of these attack methods can be blocked with basic cybersecurity measures such as enforcing the use of strong passwords, changing all default passwords, rate limiting on logins, applying the rule of least privilege when setting permissions, implementing multi-factor authentication, closing unused ports, disabling RDP, prompt patching,  adopting a robust backup strategy, and providing security awareness training to employees.

Krebs warned that all U.S industries, government agencies, and businesses should be alert to the risk of cyberattacks. “If you suspect an incident, take it seriously and act quickly,” said Krebs.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.