IntSights Advisory: Iran Election Cyberattacks Have Implications for Enterprises Beyond Ordinary Nation-State Retaliation
October 22nd, 2020
Subscribe to our blog and stay up to date
IntSights Advisories are designed to inform cybersecurity professionals on emerging threats that may impact their businesses. The content of this advisory has been developed by experts in cyber threat intelligence and is designed to help cybersecurity professionals understand potentially damaging new and evolving threats. Due to the upcoming United States elections, there has been an increase in cyber threat activity, particularly from nation-state actors. IntSights is unbiased in its assessment of cyber threats facing enterprises and government agencies. The sole purpose of this advisory is to provide cybersecurity professionals with information they can use to protect their businesses, partners, employees, and customers.
Key issues for enterprises and government agencies:
- The 2020 US election gives Iran, and other nation-state actors, an incentive to aggressively target enterprises and government agencies to collect data in order to disrupt commercial operations and governmental processes.
- Enterprises and government agencies need to be aware of the implications of Iran’s activities and leverage threat intelligence at both the strategic and tactical level to protect their data and the sensitive information of their customers, partners, and employees.
- As we have seen over the past decade, complex cyber threats have emerged in order to influence open societies with a destructive impact to democratic processes; this has spilled over into commercial enterprises as they have become a source of exploitable data and a means of conducting disinformation campaigns.
- Enterprises and government agencies are targets for these highly complex nation-state threats. The US elections simply present an opportunity for adversaries to capitalize on years of cyber espionage efforts to create chaos on a broad scale, which is not exclusive to the US.
In line with a number of national security agency assessments from countries across the globe, our Cyber Threat Intelligence experts conclude that in addition to Russia, Iran is one of the most likely state sponsors of cyberattacks designed to influence the outcome of the 2020 US presidential election. Iran has strong diplomatic and economic reasons to seek the electoral defeat of candidates that are unfavorable to their political and economic interests.
With growing tensions between some Gulf states and US support for nations that Iran perceives to be regional adversaries, the 2020 election presents an opportunity for Iran to use cyberattacks to influence the American body politic through attacks on companies and critical infrastructure, as well as federal, state, and local government infrastructure. As a business, IntSights does not typically focus on nation-state cybersecurity issues.
However, Iran’s ability and willingness to leverage its cyber espionage units to target commercial enterprises, social media, and US citizens’ personally identifiable information has resulted in a spillover effect that could impact enterprises and government agencies across the globe. Cybersecurity professionals are advised to prepare for a ramp-up in these efforts from Iran and other nation-states in the coming months.
State-sponsored Iranian actors have begun emulating the psychological manipulation tactics of Russian actors, as IntSights reported in its previous Threat Brief: Iranian Cyber Warfare. Iranian actors have used hacktivist-style data disclosure in the past. They may release any damaging information that they obtain under the rubric of a fake hacktivist group or via unknowing legitimate political organizations or media outlets.
Other possible scenarios, based on previous Iranian attacks, could conceivably include the deployment of destructive malware on electoral infrastructure or distributed denial of service (DDoS) attacks against such targets. More aggressive attacks such as these are less likely to occur due to a higher degree of difficulty and greater inherent risk.
Iran’s Motives to Interfere With the US Election
Much of the coverage of potential attempts by foreign governments to influence the US presidential election via cyberattacks focuses on Russia, given the role of the Russian “Fancy Bear” breach of the DNC in the previous presidential election and other data points. Iranian actors, nonetheless, have compelling reasons to sway the election as US intelligence officials disclosed earlier this year.
The US withdrew from the Joint Comprehensive Plan of Action (JCPOA) on the Iranian nuclear program – which involved a multilateral negotiation with several nations – and reinstated sanctions against Iran. That reinstatement of sanctions against Iran has fueled a gradual escalation of retaliatory Iranian cyber threat activity against the US and its regional allies over the past two years.
Enterprises and government agencies need to be aware that Iran’s activities transcend attacks on government infrastructure. Enterprises are a likely target for collecting and then assimilating citizen data in order to launch a sophisticated cyberattack.
The actions of foreign governments against Iran’s nuclear program, such as the imposition of sanctions and the deployment of malware, have historically been key drivers of Iranian cyberattacks on foreign targets over the past decade. Sanctions against Iran for its nuclear program have created significant economic hardship within Iran. Iranian leaders likely prefer an administration that wants to fully restore the JCPOA or other nuclear diplomacy, thus providing economic relief for Iran.
Iranian Cyberattack Methods and Tactics
State-sponsored Iranian actors have begun emulating the psychological manipulation tactics of Russian actors. Iranian threat actors have used hacktivist-style data disclosure in the past. They may release damaging information obtained under the guise of a fake hacktivist group or a legitimate US organization. Other possible scenarios based on previous Iranian attacks include advanced email phishing campaigns, the deployment of destructive malware on electoral infrastructure, or distributed denial of service (DDoS) attacks against such targets.
Email and Phishing Campaigns
Previous reports indicate that a group of Iranian actors, known variously as APT35, Phosphorus, Charming Kitten, and the Ajax Security Team, targeted email accounts of US political organizations. The group tried to compromise these organizations and other targets via spear phishing attacks and password reset attempts. The spear phishing attacks featured malicious domains that spoofed the brands of major technology companies. The password reset attempts included the identification of secondary email addresses or authentication phone numbers that could enable password changes. These tactics are relatively simple and do not require significant capabilities to execute.
As is true of many Iranian cyberattacks, they rely more on social engineering and target reconnaissance than technology per se. The relative simplicity of these tactics does not prevent Iranian or other actors from using them to obtain valuable sensitive information. This information, once obtained, can be used for follow-on attacks and sold on the dark web to other threat actors.
This targeting of US political party email accounts in password reset attacks is not the first time that threat actors have used such tactics against such targets. During the 2008 US presidential campaign, David Kernell, the son of a state legislator in Tennessee, breached the personal email account of vice presidential candidate and Alaska Governor Sarah Palin.
Kernell managed to reset the password for Palin’s personal Yahoo account with open source reconnaissance of her biographical details. He claimed that he sought damaging information with which to undermine the McCain-Palin campaign. Email messages from this breach surfaced on WikiLeaks, which cited them as further evidence that Palin inappropriately or even illegally used personal email accounts for government business.
Much of the media coverage of foreign interference in the US presidential election has focused on disinformation. This focus may be well founded, but one should not assume that malicious actors limit themselves to the use of false information in their attempts to manipulate public opinion.
Authentic information, such as the contents of compromised email messages, could be equally or more useful for such purposes. In some cases, the best propaganda is the truth. The disclosure of authentic compromised data has long been a core tactic of hacktivist actors, such as those operating under the rubric of Anonymous. These tactics can be later applied to cyberattack methods targeting commercial enterprises and government agencies for other than an election-specific purpose.
Iranian Hacktivist Efforts
Iranian actors previously used hacktivist-style information disclosure tactics in a 2014-2015 breach of the Saudi Ministry of Foreign Affairs (MOFA). The Iranian cyber espionage Operation Cleaver released tens of thousands of MOFA diplomatic communications and email messages to WikiLeaks. The most significant revelation from these messages was not about Saudi foreign relations; instead, it was a MOFA incident response report attributing the breach to Operation Cleaver. The actors, nonetheless, released this data to WikiLeaks under the cover of the so-called “Yemen Cyber Army” (YCA). Iranian actors occasionally conduct disruptive or high-profile cyberattacks under the rubric of fake hacktivist entities, which they create as cover mechanisms to provide the Iranian government with plausible deniability.
In this case, the use of the YCA as a cover mechanism suggested that the attack was retaliation for Saudi involvement in the Yemeni civil war, which had become a regional proxy war between Iran and Saudi Arabia. It would generally be inadvisable for a government to claim direct responsibility for a cyberattack on a foreign government and the disclosure of its diplomatic secrets due to the potential repercussions. The WikiLeaks disclosure of the incident report attributing the breach to Operation Cleaver may have provided another indirect way for Iran to signal to Saudi Arabia that it was responsible for the attack without claiming direct responsibility. Retaliatory attacks carry a more powerful message if the target understands who is targeting them and why.
YCA Logo. Image Source: Twitter
The types of fake hacktivist entities behind which Iranian actors have hidden in the past, most of which appear to be Middle Eastern, would probably not be useful for attempts to influence the US election. In fact, their use for such purposes might be counterproductive. The Iranian actors are likely aware of these factors and might therefore create fake profiles to disseminate disinformation campaigns or simply leak the information to organizations, such as WikiLeaks.
DDoS and Destructive Malware
The history of DDoS and destructive malware attacks by Iranian actors raises the more alarming prospect of such attacks on election infrastructure or other related targets. It has been more than seven years since the end of #OpAbabil, the unusually long and powerful DDoS campaign that Iranian actors waged against the websites of US banks under the rubric of the so-called Izz al-Din al-Qassam Cyber Fighters in 2012-2013.
The targeting and the tactics of this campaign were precise in their retaliation for the removal of Iranian banks from the SWIFT interbank communication system due to sanctions against Iran for its nuclear program. DDoS has not been a major feature of subsequent Iranian attacks since the end of #OpAbabil. Enterprises and government agencies need to be aware that Iran’s DDoS capabilities still exist and that there is limited capacity to stop widespread DDoS attacks due to inherent weaknesses in internet transit protocols.
In contrast, destructive malware has remained a feature of Iranian attacks since the original 2012 Shamoon wiper attacks on the national oil and gas companies of Saudi Arabia and Qatar, under the hacktivist rubric of the so-called Cutting Sword of Justice group. Subsequent Iranian wiper attacks have typically targeted Saudi Arabia and the oil and gas industry, particularly in the broader Persian Gulf region. This specific combination of targeting and tactics likely reflects a desire to retaliate for the Flame wiper attacks on the Iranian Oil Ministry, as well as competition with Saudi Arabia and other Persian Gulf states in fossil fuel markets. Iran believes that these countries have used sanctions against Iran as an opportunity to usurp its oil and gas market share. Enterprises and government agencies need to be aware of Iranian capabilities to do significant damage to their operations and develop plans in case of escalation.
Conclusion and Recommendations
Enterprises and government agencies need to be aware of the strategic cyber threats emanating from nation-state actors. Iran has strong motives to interfere with the US presidential election. In the wake of the FBI’s claim that Iranian threat actors were behind a series of threatening emails sent to Florida voters, the severity of the threat is clear. While a high-profile cyberattack against US agencies or enterprises has not yet occurred, organizations must be prepared in the event that state-sponsored Iranian threat actors strike in the coming weeks.
Cyber Threat Intelligence (CTI) can provide visibility beyond an organization’s security perimeter, proactively identifying and validating threats as they emerge across the clear, deep, and dark web. IntSights’ advanced platform and expert threat researchers work in concert to constantly monitor these types of threats. To learn more about how CTI enables security teams to stay one step ahead of threat actors, get a free, customized intelligence report based on your organization’s digital assets.
Paul Prudhomme is Head of Threat Intelligence Advisory at Rapid7, following its July 2021 acquisition of IntSights. He previously served as a leader of the cyber threat intelligence subscription service at Deloitte and as an individual contributor to that of iDefense. Prior to that Paul covered cyber issues as a contractor in the US Intelligence Community. Paul specializes in the coverage of state-sponsored cyber threats, particularly those from Iran. He originally served as a linguist and cultural advisor and speaks multiple languages, including Arabic. Paul has a Master’s degree in History from Georgetown University. He is also a certified scuba diver and an award-winning amateur underwater photographer.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.