Cyberthreat Alerts Raised to FIs Amid Heightened Tensions With Iran

The cybersecurity threats to financial institutions and other industries are not new threats, but part of an ongoing and possibly more sustained menace to systems and processes existing over a number of years.

On Jan. 6. the Cybersecurity and Infrastructure Security Agency addressed the concerns: “Increased geopolitical tensions and threats of aggression may result in cyber and physical attacks against the Homeland and also destructive hybrid attacks by proxies against U.S. targets and interests abroad. Knowing how you, your organization, and your personnel may be exposed or targeted during increased tensions can help you better prepare.”

Many of those threats existed prior to the recent tensions. In December, IBM’s security experts said they uncovered previously unknown malware developed by Iranian hackers used in a data-wiping attack against unnamed Middle East energy and industrial organizations. The newfound malware, named ZeroCleare and first discovered in in September 2019, “spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from,” Limor Kessem, an Israel-based analyst with IBM’s X-Force incident response team, wrote in a blog post.

ZDNet then learned from multiple sources, Iranian state-sponsored hackers deployed a new strain of data-wiping malware, so-called Dustman, on the network of Bapco, Bahrain’s national oil company, on December 29. While the Bapco event does not seem associated to the current U.S.-Iranian political tensions, it did demonstrate Iran’s cyberattack capabilities.

In 2018, two financial firms were among the various U.S. targets of a hacking group working under the pretext of the Mabna Institute, which used password spraying to access a large number of accounts with a few commonly used passwords. The U.S. accused nine Iranian actors of stealing 31 terabytes of academic and commercial data in an operation dating as far back as 2013; claimed the group acted on behalf of the Islamic Revolutionary Guard Corps; and imposed sanctions on numerous individuals and companies in Iran as a result.

“Iranian actors have been targeting U.S. financial institutions for years, but with the acceleration of hostilities, these attacks are almost certain to increase,” Diana Volere, chief security evangelist, Saviynt, said. “Direct attacks are certainly possible, but the bigger vulnerability is through the supply chain and partners.” She recommended institutions Incorporate risk-aware identity governance technologies to ensure principles of least privilege and zero standing privileges; add adaptive, continuous controls and automated response; and develop a response plan in case organizations discover an incident or a potential breach.

Chris Kennedy, chief information security officer and vice president of customer success at AttackIQ, emphasized, “Iran has well-funded and state-supported offensive cyber capability and motive to use it against U.S. organizations, including credit unions. In order to improve security posture and defend against these state-sponsored attackers, security teams for financial institutions need to first know what they are up against.” Kennedy suggested financial institutions can leverage resources such as MITRE ATT&CK (a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations) about the tactics, techniques and procedures commonly used by Iranian threat groups. Kennedy recommended security teams continuously evaluate how well each control fares against attacker behaviors to help protect credit unions and improve their security posture against Iran-sponsored threat actors.

“Financial institutions must take extra steps to enhance their access control and user activity logging capabilities in order to eliminate blind spots in legacy applications.” Piyush Pandey, CEO of Appsian, said. “Employee and customer data are a top target and many enterprises were not designed to combat modern threats.” He added, security strategies that are fine-grained and ultimately ‘data-centric’ enable financial firms to simultaneously reduce exposure and track accessed data. For example, implementing multi-factor authentication to identify users coming from an unknown location or trying to access sensitive data.

Three cybersecurity experts with KnowBe4 also offered their perspective:

• Rosa Smothers, SVP of Cyber Operations. “Every company in the supervisory control and data acquisition and industrial control systems space should already be proactive in safeguarding against these (and other) advanced persistent threats; if we’re doing our jobs right, then admins aren’t in a state of emergency right now over the potential of Iranian implants lying dormant on our networks.” She added, it is also important to keep in mind US CERT’s ongoing bulletins regarding Iranian cybersecurity threats, which consistently warn industry as to their go-to access methods – phishing attacks and password spraying. “Critical infrastructure must remain vigilant and utilize security solutions such air gaping, deploying endpoint protections and training employees to spot and report social engineering and potential insider threats.”
• Erich Kron, security awareness advocate, KnowBe4. “Modern military actions and warfare has transcended from purely kinetic attacks to hybrid cyber and kinetic attacks. It is reasonable to expect there will be a response on the cyberside, especially given Iran’s advanced capabilities in the space. There is the possibility they already have access to systems as part of their APT groups and may leverage these at any time with attacks on the public and private sectors.” Kron added, “We can also expect that non-Iranian attackers will use the emotional tensions around the situation to craft phishing attacks designed to install malware or steal credentials.
• James McQuiggan, security awareness advocate. “While the USA is always a target to nation states, organizations should be aware of a potential targeted cyberattack due to the recent actions by the U.S. government. Organizations will want to be on alert, but not to panic.” In addition, McQuiggan pointed out there is a need for additional monitoring and awareness within networks. Organizations having a robust security program should already be actively monitoring for unusual activity. They want to monitor, authorize and validate remote access connections by all supply chains entities. “It’s important for organizations to alert their human firewalls with training and education about potential attacks and a strong awareness to potential spear phishing attacks.”