Iranian Cyber Threats

Mid-sized companies with IT and ICS networks CAN protect themselves from Iranian based hackers – Part 2

By January 8, 2020 No Comments

Today, we are continuing our quick overview of the most likely threats that you will face if the Iranian hacker groups decide to target your organization in the next few weeks. Here’s a little recap from yesterday’s article:

The U.S. launched a very lethal strike against Iranian terrorists operating in Iran. The Iranian government will respond with their own attacks in the very near future.

So, how does a mid-sized company shore up their defenses quickly to counter the threat? There are two things that you need to do quickly.

First, you need to understand the threat. Why is this important? If you understand what the threat is, you’ll have a much better chance of countering their Tactics, Techniques, and Procedures (TTPs).

Second, you need understand your own vulnerabilities. If you know what the threats are, and you know whether you are susceptible or vulnerable to the types of TTPs that they employ, then you can take decisive action.

Please click on the link to check out yesterday’s overview of threat group APT33.

For today’s threat focus, we’re going to look at a completely different Iranian cyber threat group.

 

The Threat – APT 34

The Iranian government regularly uses proxies to conduct military and cyber operations. There are several cyber threat groups that operate under the auspices of the Iranian government, and they have been known to enlist the aid of many different groups through social media.

The second group that we are going to look at has been given the designations of APT 34, OilRig, IRN2, and/or Helix Kitten. For simplicity’s sake, we’re going to use the APT 34 designation.

APT 34 shows all of the characteristics of a more advanced threat group than APT 33. APT 34 is much more targeted and intentional in their efforts, and they appear to be more sophisticated in their Tactics, Techniques, and Procedures (TTP). They are constantly testing their tools, and making changes to ensure that they can circumvent many malware suites.

The biggest threat from APT 34 is their phishing campaigns. They are much more specific in their targeting during phishing campaigns, and even wait until they have access to a victim’s network so that they can craft very legitimate looking spear phishing attacks. They are organized, and they do quite a bit of research before sending out their messages. The apparent authenticity of the formatting and messaging makes them highly successful.

The good news is that most of their attention has been focused on targets in the Middle East, but that could easily and quickly change in light of the current situation.

What can you do?

There are 3 things that you can do right now to significantly improve your overall security profile against this threat.

First, Raise your organization’s security awareness level. Use whatever mechanism that you have in place for increasing your security level, and do it now.

Second, Train your organization’s personnel on phishing and spear phishing. No matter how much training that they have had, organizations still suffer from these types of attacks. This threat actor is very sophisticated in their attacks, and they frequently target executives and their support staff, so make sure that those people are highly trained to recognize phishing attacks.

Third, Focus your cyber threat intelligence team, or SOC, or your one lone cyber security person very directly on APT 34. They need to learn as much as they can about the TTPs of this specific threat group so that they can counter their efforts.

We can help!

Feel free to reach out anytime if you have questions, or need more information. Red Trident Inc has a full team of IT and ICS cyber security professionals that can do everything from vulnerability and compliance assessments to comprehensive cyber security program development.

  • We have actual military-grade intelligence analysts on our staff that can help you weather the storm.
  • We have CSOC services that can help you monitor, detect, contain, and remediate across your IT and ICS networks.
  • Most importantly, we have all worked in the plants and know what you’re up against.
  • Red Trident is based out of Houston, Texas (the energy capital of the world), but we offer services all over the United States.
Contact us now to discuss your security, infrastructure, engineering, and networking needs.

References:

MITRE ATT&CK Group (2019, October 15). OilRig. https://attack.mitre.org/groups/G0049/

Meyers, Adam (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/

Falcone, Robert. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/