Over the past ten days, real-world military attacks have fostered fears that Iranian threat actors would launch cyberattacks on US organizations as part of a hybrid cyber-kinetic retaliation to US intervention in geopolitical tensions between Israel and Iran.
Among the steps that some experts say provoked Iran to respond with cyber measures is the Trump administration’s backing of Israel’s surprise coordinated airstrike against Iran that targeted, among other things, the country’s nuclear facilities, as well as the administration’s launch this past weekend of bombing strikes on three Iranian nuclear facilities.
Iran responded to the US assault by firing missiles at a US airbase in Qatar, the largest American military base in the Middle East, which officials said caused no casualties or damage. Following this attack, Donald Trump announced a cease-fire between Israel and Iran.
The military action led some threat intelligence experts and the US Department of Homeland Security to warn of possible cyberattacks by hacktivists aligned with or sympathetic to Iran, as well as cyberattacks directed by the Iranian government itself.
However, many cyber threat intel analysts say the concerns over Iran launching cyberattacks against the US were overblown in the first place, given that Iran has a poor track record as a cyber adversary and will likely, for the foreseeable future, restrict its attacks to rudimentary attacks on low-hanging fruit.
“The truth is we’re seeing Iranian actors struggle to make any tangible impact on anything they’re getting involved in as things escalate on the kinetic side,” Tom Hegel, distinguished threat researcher at SentinelOne, tells CSO. “The reality is they might get lucky finding an opportunistic target that gives them likely a bit of attention.”
Still, the cease-fire notwithstanding, in the future, shadowy and ever-morphing Iran-aligned hacktivist groups and Iranian government actors might be able to create operational headaches and reputational damage, and CISOs would do well to prepare their organizations for these possible outcomes.
Iran’s spotty track record of ICS, wiper attacks
In December 2023, the Iranian Government’s Islamic Revolutionary Guard Corps (IRGC) began using the persona “CyberAv3ngers” to actively target Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human machine interfaces (HMIs), which are mainly used in water and wastewater systems.
These exploitations elevated Iran as a cyber threat actor to the top ranks of national cybersecurity concerns among Western nations, laying the groundwork for the current heightened fears of an Iranian cyberattack.
But, Hegel says, those PLCs that were sloppily exposed on the internet were a fluke for Iran. “That was low-hanging fruit for them. They got lucky to find it,” he says.
The only thing Iran did with access to those PLCs was to leave a defacement image stating, “You have been hacked, down with Israel. Every equipment ‘made in Israel’ is CyberAv3ngers legal target.”
“They sometimes target industrial control systems, but they’re not well-read on how those things work,” another senior cyber threat intelligence analyst, who asked not to be named, tells CSO. “When we have seen them get access, they’ve not used it effectively. They’re just not very good at that.”
Aside from this high-profile incident, Iranian threat actors are best known for using wipers, often in the form of fake ransomware. “They do have the capabilities to deploy impactful pieces of malware, wipers, ransomware, things of that sort,” the threat intel analyst says.
But even Iran’s wipers and fake ransomware are not major threats. “Typically, their wipers are fairly efficient, but information can be recovered,” the analyst says. “Ransomware they will deploy is almost always not ransomware; it’s a wiper, and they’ll try to extort a little bit of money from you.”
DDoS attacks are the biggest threat
Perhaps Iran’s most prominent cyber tool is distributed denial of service (DDoS), usually in conjunction with so-called hacktivist groups.
Hours after the US strikes against Iran’s nuclear sites, the Center for Internet Security (CIS) and other watchdogs confirmed that an Iranian-aligned hacktivist group called “313 Team” claimed responsibility for a DDoS attack on Trump’s Truth Social platform, which temporarily went dark.
“There are 20 or 30 new Iranian groups that have emerged over the last week or so,” says Alexis Rapin, strategic threat intelligence analyst at ESET. “It’s hard to keep track. Many of these groups have been shut down by Telegram in recent days. So, they basically form new ones, new channels, new coalitions of groups.”
Following the DHS warning of cyber threats tied to US involvement in the Iran conflict, Radware observed an 800% surge in claimed DDoS attacks against US sectors.
“It’s an easy attack to pull off,” Pascal Geenens, director of threat Intelligence for Radware, tells CSO. “You just need infrastructure, and you just point it in the right way and you go at it and you almost always have some kind of result, whether it’s a big result or just a few seconds of downtime, enough to claim a report and to say, ‘Look, we had some impact.’”
“A lot of the outward communication we see coming from Iran is primarily from fake hacktivist personas, hacker groups, all on Telegram,” SentinelOne’s Hegel says. “We’re tracking dozens since the initial conflict kicked off last. They’re all doing the same thing, going for easy targets; it’s very opportunistic. DDoSing is almost child’s play nowadays.”
How CISOs could prepare for Iranian attacks
Even if the immediate threat of Iranian cyberattacks has subsided, CISOs should still consider strategies to help defend against them given the volatile nature of military conflicts in the Middle East.
“Even if we don’t see widespread cyberattacks, it’s never a bad thing to be prepared for them,” Pete Nicoletti, global CISO of Americas for Check Point, tells CSO.
Chief among Nicoletti’s list of things to do is “go ahead and set up geo-blocking,” he says. “You can easily get IP addresses and load them into your firewalls. Knock those countries that you do not have business with. Just drop them. They will be VPN’ing into other IP addresses and hacking from those, but take the ankle biters off the list.”
Gaming out what an Iranian attack might look like can also help. “Review your incident response plan and go ahead and knock out a desktop exercise focused on a nation-state actor attack,” Nicoletti says. “Take historical data and say, ‘Okay, we’ve seen this, this, and this.’ Put it into your nation-state attack desktop exercise.”
Preparing for a reputational fallout from a potential Iran-related attack is also helpful, particularly if the threat actor starts bragging about it. “The most important thing for CISOs is to have a statement ready if that time comes,” Radware’s Geenens says. “You don’t want to start thinking about what to do whenever you become the target of a fake claim, and it goes into the media, because your company can become a headline at any time because of those claims.”
Most importantly, CISOs should make sure they have adequate DDoS protection. “Cyber warfare is so asymmetric; it doesn’t take much money and expertise, and you can literally buy it on the dark web,” Check Point’s Nicoletti says. “I can go to the dark web right now, and for $500, I can get a company that doesn’t have adequate DDoS protection. I can nuke them off the map for the next week for just $500.”
See also: