US businesses could be the next victim in the conflict between Washington and Tehran, according to a Washington Post report. With both sides unwilling to let the dispute dissolve into traditional warfare, they’ve turned to cyberspace to target infrastructure. The Trump administration started off with an attack on Iran’s missile launching systems in response to the downing of a US military drone last week.
In an email on Saturday, Chris Krebs, the director of the Homeland Security Department’s cybersecurity division, warned that American businesses are prime targets for Iranian hackers. Sometimes instead of stealing data, however, they are using malware that erases hard drives.
A trio of cybersecurity companies have confirmed that Iranian hackers have began attacking US organizations through a variety of nefarious methods. Crowdstrike and Dragos reported to WIRED that a new wave of phishing emails had been launched by hacker group known as APT33, Magnallium, and Refined Kitten. This group is suspected to be working in tandem with the Tehran government and targeted the US Department of Energy and government laboratories in the past week.
At this point, cybersecurity companies are not confident of the hackers’ goals. “We’re not sure if it’s intelligence collection, gathering information on the conflict, or if it’s the most dire concern we’ve always had, which is preparation for an attack,” said John Hultquist, director of threat intelligence at security firm FireEye.
Last week, an email disguised as a job posting for the Council of Economic Advisors within the White House was circulated in a phishing attempt that appears to be the work of APT33. Clicking the link in the email would open an application that installed malware called Powerton. With the victim’s computer successfully infected with the trojan, APT33 could sniff through data, transmit it, or delete it. Another option would be to hold the data for ransom. It’s possible that the hackers themselves do not even know what they will do once they hack a computer; perhaps they first want to see its contents and then decide the best way to leverage that data.
Iran had largely abandoned its hacking campaigns against the US after President Barack Obama negotiated the Joint Comprehensive Plan of Action, commonly known as the Iran Nuclear Deal. Prior to that agreement, Iran had attacked Saudi Aramco in response to a US – Israeli coordinated attack on Tehran’s nuclear facilities. Following its attack on the oil company, it began hitting US banks, rendering their websites inaccessible from denial of service attacks.
While Iran stated that the recent US cyberattack was unsuccessful, that point might not matter much to it. Iran was attacked and will strike back as it has in the past, something that the Department of Homeland Security understands. According to a BBC report, the cyberattack on Iran’s missile systems was in the works for at least a few weeks. This suggests that it was initially planned as a response to the oil tanker attacks. The Pentagon and the president’s cabinet are always preparing battle plans in the case of an attack, so having one prepared like this weekend’s cyberattack is not incredibly unusual. In some sense, it could almost be considered business as usual when it comes to 21st century warfare.
Whereas the US targeted military computers, Iranian hackers will not be so courteous. Considering that economic sanctions are a major issue right now, hacker groups, whether rogue or government-sanctioned, will likely focus on commercial vulnerabilities.
“They’re going to go for the soft underbelly,” Hultquist said. “In the past, that’s been our financial sector. They’ve also demonstrated interest in everything from energy to transportation to several other sectors.”
Cyberattacks are lucrative because they often have economic components to them and carry no risk of fatalities. They are a way for Iran to show that the US is not invulnerable and often in a public fashion. Finally, there’s always the threat of further escalation by holding punches back. If a hacker makes it known that they can infiltrate a system, but does little or no damage, they leaves the lingering question of “What will they do next?”