The death of Qasem Soleimani raises questions over digital retaliation
ANALYSIS The geopolitical landscape continues to be shrouded in uncertainty, following news last week that a prominent Iranian military commander was killed in a US drone strike in Baghdad.
Protests and rallies have filled the streets of the Iranian capital, Tehran, as its citizens mourn the death of Qasem Soleimani, a controversial, yet popular, figure who was believed to have been actively planning attacks against US forces, according to the Pentagon.
Questions have now been raised over whether or not Iran will retaliate against the US and its allies – a dispute that has landed itself into the ever-greying area of cyber warfare.
The risk of escalatory action by Iran is particularly high, given “that the ‘red lines’ are not clearly defined in cyberspace”, said Suzanne Spaulding, advisor at Nozomi Networks and former employee of the cyber and infrastructure protection division at the Department of Homeland Security (DHS).
“The Iranian government will be under intense internal pressure to take strong action,” Spaulding told The Daily Swig.
“In 2011-2012, Iran went after banks for implementing sanctions and we should now anticipate actions against the contractors involved in the development and deployment of drones.”
Critical infrastructure threats
Iran is no stranger to the world of cyber warfare, with the country being linked to attempted attacks on US critical infrastructure and disseminate misinformation, according to last year’s Worldwide Threat Assessment (PDF) report from the US intelligence community.
Multiple indictments over the past years have highlighted the progression of Iranian advanced persistent threat (APT) groups and state cyber capability, which have targeted the US financial sector with a distributed denial-of-service (DDoS) attack and gained unauthorized access to a dam in New York, in particular.
But attributing attacks to nation-states remains an ongoing challenge.
Clues in malware and exploit kit code, as well as attack patterns which could provide links to specific countries or groups – elements that may also be planted for the purposes of misdirection – make “attributing a specific cyber-attack to a specific actor a difficult and nebulous process”, according to Tim Erlin, vice president of Tripwire.
There are other options that could have a stronger impact politically, such as disrupting oil supplies or military strikes – and some attacks that are simply viewed by industry as a non-event.
Over the weekend, for instance, a cyber-attack group briefly defaced the website of the US Federal Depository Library Program (FDLP) with a pro-Iranian message.
The Cybersecurity and Infrastructure Agency (CISA), the cyber arm of the DHS, said that it was monitoring the situation and that there was no indication that the incident was the work of a state-sponsored actor.
Website defacement “isn’t generally a tactic undertaken by nation-states with serious intentions, and is the cyber equivalent of graffiti on the side of a building,” Erlin told The Daily Swig.
John Hultquist, director of intelligence analysis at FireEye, told us that the Iranian government “has previously co-opted hacktivists for cyber-attacks in the past – in fact, many of their operators have a history of defacement and similar activity – but they now carry out more complex, significant, and targeted actions.”
“Defacements such as this are typically opportunistic and rarely speak to some serious underlying defense failures,” the cybersecurity expert added.
The DHS issued an advisory (PDF) on January 4 claiming that “Iran maintains a robust cyber program and can execute cyber-attacks against the United States [and] Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
The agency maintains there is no “credible threat” at present.
YOU MIGHT ALSO LIKE IDF air strike against Hamas hackers shocks infosec world