As part of a major change in strategy, it now appears that Iranian hackers are shifting their focus to include physically disruptive cyber attacks on critical infrastructure targets – including targets within U.S. borders. Iranian hackers known as APT33 are now looking for ways to exploit security vulnerabilities in the industrial control systems (ICS) of manufacturing plants, energy grid operators and oil refineries. In a worst-case scenario, say ICS security researchers, Iranian hackers could carry out a massive cyber attack that disrupts the U.S. energy grid and causes widespread physical damage.
New developments with APT33 Iranian hackers
U.S. security experts have been carefully tracking the activities of the APT33 Iranian hackers since 2013. As a result, they have unique insights into their changing tactics and strategies. These Iranian hackers appear to be working at the behest of the Iranian government, and for that reason, have tended to focus their hacking efforts on strategically sensitive targets. Back in 2017, for example, security firm FireEye outlined the various ways that APT33 was targeting aerospace and energy targets, with the primary scope of these cyber attacks focused on the United States and Saudi Arabia (both enemies of Iran). A favorite method used by these Iranian hackers was to use “wiper” malware that would wipe out the data found within a computer network. This was the approach, for example, that led to the infamous “Shamoon” destructive attacks on Saudi oil assets.
For nearly a decade, ICS security researchers have documented the various types of attacks that these Iranian hackers carried out. At the outset, the APT33 Iranian hackers tended to focus on relatively low-level and unsophisticated attacks, such as distributed denial of service (DDoS), web defacement and password spraying attacks that use common passwords to gain entry to online assets. And the Iranian hackers were relatively “noisy” about all their activity, making it easy for ICS security experts to track their activity. From there, Iranian hacking groups moved on to destructive “wiper” malware attacks and various forms of corporate espionage.
But something seems to have changed at the beginning of 2019, says Microsoft security researcher Ned Moran, who is also a fellow at the University of Toronto’s Citizen Lab. In a presentation delivered at the November CyberWarCon event in Virginia, Moran outlined the shift in focus to ICS attacks by APT33 (which is also known as Refined Kitten, Elfin and Holmium within the security community). As Moran sees it, this shift in focus could signal a dangerous new phase in the global cyber war between Iran and the United States. Iran could be laying the groundwork for destructive cyber attacks far outside the Middle East.
From January to October, says Moran, state-sponsored Iranian hackers targeted tens of thousands of companies by using brute force password spraying attacks, in which relatively common username/password combos are used to try to gain access to enterprise computer networks. In October and November, though, the Iranian hackers narrowed their focus to around 2,000 different organizations or companies, with a surprisingly large number of those companies related to industrial control systems. In fact, one-half of the Top 25 cyber targets are makers or maintainers of industrial control systems.
Adam Laub, CMO of STEALTHbits Technologies, comments on possible risk scenarios involving ICS attacks: “Sadly, one can only hope – at least for the time being – that APT33’s or any other group’s focus on manufacturers and ICS-related industries is limited to reconnaissance and espionage. The damage of identity or IP theft would pale in comparison to the catastrophic failure of a power plant in the dead of winter or any number of unthinkable scenarios. In a world where there general public has grown largely desensitized to the daily occurrence of data breach, it’s likely that attacks on ICS would jolt us all back into reality.”
Implications of new APT33 attacks for ICS security
Obviously, if Iranian hackers such as APT33 were shifting their focus to industrial control systems, it would have significant implications for the way that the United States must think about ICS security. Most importantly, it would signal that Iran is no longer just looking to steal corporate or trade secrets, or to annoy U.S. officials with web defacement attacks – instead, Iranian hacker groups are looking to inflict physical damage on the United States. In a base-case ICS security scenario, snippets of malicious code could be used to bring industrial equipment such as fans, pumps or pipes to a halt. In a worst-case scenario, Iran might attempt to crash the entire U.S. power grid.
In terms of ICS security, one major concern is that most of America’s critical infrastructure is extremely vulnerable – it is old, poorly managed and maintained, and designed in the pre-cyber era. A generation ago, APT33 Iranian hackers would have needed physical access to infrastructure targets in order to inflict damage. Now, however, with so many devices and sensors hooked up to the Internet, and with such a focus on ICS software, Iranian hackers such as APT33 can carry out their cyber attacks from thousands of miles away.
Ray DeMeo, Co-Founder and COO of Virsec, details some of the risks for ICS operators: “There’s a common misconception that OT systems are less vulnerable to attack than IT systems. It’s not necessary to hack physical equipment to cause disruption or damage to industrial equipment. The control systems (SCADA and others) are largely run on conventional Windows machines and vulnerable to a wide range of external, supply chain and insider attacks. We’ve seen repeatedly, with attacks from Stuxnet to Triton/Trisis, that fileless, and in-memory attacks can hijack the control systems, and then easily bring down physical industrial equipment. The ICS industry needs a serious wakeup call to take these threats more seriously, and rapidly implement stronger security across their entire IT/OT stacks.”
Moreover, if Iranian hackers were now taking their orders from the Iranian government, the shift in focus to ICS targets would mean that the worlds of national security and ICS security will be forever intertwined. Private sector companies in charge of critical infrastructure targets are going to have to work much more closely with government and intelligence agencies in order to ensure that they remain protected from future cyber attacks. For that reason, the U.S. government is already looking more closely into ways that it can warn private sector companies about new threat actors, or about specific vulnerabilities within the energy and power sector.
Will tit-for-tat cyber attacks lead to kinetic war?
One major ICS security concern is that any Iranian cyber attack would be followed by an U.S. cyber counterattack on Iranian assets, which would then be followed by an Iranian counterattack, in a sort of vicious cycle in which attacks keep escalating in nature and intensity. At some point, an attack would become so destructive, say security experts, that it would be tantamount to an act of war.
And, indeed, that is what appears to be happening now, as Iran and the United States engage in a “shadow” cyber war. Any time Iran shoots down a U.S. drone or carries out an attack on ships or oil refinery assets in the Middle East, the U.S. is now hitting back hard with offensive cyber attacks. And now it looks like a flare-up of tensions over the summer is what led to the new shift in focus for Iranian hackers. U.S. cyber attacks are rumored to have been carried out against Iranian oil targets, and Iran may be looking to retaliate in the same way. This is a dangerous new trend, and one that carries grave new implications for both ICS security and national security.