DHS CISA warns of Iranian hackers’ habit of deploying data-wiping malware

fbi-has-been-developing-cyber-hacking-tools-for-over-a-decade-to-attack-criminals.jpg

(Image: Homeland Security)

The Department of Homeland Security’s cyber-security agency is warning of increased cyber-activity from Iranian hackers, and urging US companies to take protective measures against these hacker groups’ most common practices — the use of data-wiping malware, credential stuffing attacks, password spraying, and spear-phishing.

The warning was published in a tweet by the Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs.

The CISA alert comes as Iranian hackers launched new waves of cyber-attacks against US targets following escalating tensions between the US and Iran, according to a CBS News report.

The US has responded to these Iranian cyber-attacks with a volley of its own, per a Yahoo News report.

The silent cyber-war between the two countries is expected to continue, and now, CISA leadership is warning US businesses to take protective measures against the most common hacking techniques employed by known Iranian threat actors, such as:

  • Spear-phishing – Iranian hacker’s go-to technique, and for which many have been charged by the US Department of Justice in the past.
  • Credential stuffing – the use of username and password combinations leaked at third-party services to access accounts on another service.
  • Password spraying – attack method that takes a large number of usernames and loops them with a single password (like 123456, or qwerty), allowing hackers to breach accounts with poorly secured passwords.
  • Data wipers – malware that deletes data on already compromised systems to prevent forensic analysis.

Iranian hackers have used data-wiping malware in the past. In 2012, they deployed the Shamoon (DisTrack) malware against the national oil companies of Saudi Arabia’s Saudi Aramco and Qatar’s RasGas.

The malware wiped hard drives clean and caused the two companies to temporarily cease operations, leading to huge financial losses. It was reported that Shamoon wiped the hard drives of over 35,000 Saudi Aramco computers.

The malware was used again in 2016 and 2018, with the last incident targeting the network of an Italian oil and gas company active in the Middle East.

With the US putting itself in direct conflict with Iran, US authorities fear that such destructive attacks might soon be aimed at US companies.

Krebs’ full statement is available below:

WASHINGTON – In response to reports of an increase in cybersecurity threats, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher C. Krebs issued the following statement:

“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe.

“Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.

“In times like these it’s important to make sure you’ve shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident – take it seriously and act quickly. You can find other tips and best practices for staying safe online here.

“Anyone who has relevant information or suspects a compromise should immediately contact us NCCICCUSTOMERSERVICE@hq.dhs.gov.”

Related government coverage:

READ MORE HERE