The escalating confrontation between the United States and Iran is raising concerns among cybersecurity agencies and security leaders, who have warned businesses to be on alert for a potential increase in cyberattacks from the region.
Governments warn of increased cyber activity linked to Iran conflict
Official warnings from cybersecurity centers in the United States, the United Kingdom, and Canada all mention increased intensity from cyber units both inside and outside Iran, with cells able to operate with more freedom in choosing targets due to the current lack of internet connectivity in the country.
The sophistication of these attacks is expected to be low-to-medium, according to a brief by Unit42, a threat research unit within Palo Alto Networks.
This will likely include DDoS attacks, phishing, hack-and-leak campaigns, and opportunistic exploitation of known system vulnerabilities.
While not at the same level of sophistication as China and Russia, hackers aligned with the Iranian state have been a nuisance to both the US and Israel in the past and remain a top threat to public sector services.
“Iranian cyber espionage has resumed after a brief lull during the initial military strikes, and hacktivist fronts with ties to the Islamic Revolutionary Guard Corps are making claims and threats about disruptive attacks in the region,” said John Hultquist, chief analyst at Google Threat Intelligence Group.
Iran-linked retaliation may target businesses and infrastructure
According to the UK’s National Cyber Security Centre (NCSC), the threat level has not meaningfully shifted since the war started, but organisations with links to the region may be indirectly targeted by hackers through offices, operations, and supply chain connections.
Cyber retaliation by Iran and other adversaries often targets non-governmental targets, such as commercial infrastructure, which is easier to disrupt.
Financial sector raises alert as security teams review core defenses
The U.S. financial sector has raised its alert level and is monitoring forsigns of targeted attacks. Having been the target of a huge campaign in 2013 by Iranian-backed hackers, the sector understands the country’s capabilities better than most.
For information security officers, the current threat does not indicate a change in strategy or the introduction of new security software.
Instead, organisations need to run a full check of internet-exposed assets, patch known vulnerabilities, and ensure that admins are not using default or common passwords. These are the main ways that Iranian hackers typically gain access to systems, rather than through sophisticated multi-faceted attacks.
Security teams urged to focus on patching and exposed systems
Organisations should also have a comprehensive overview of suppliers, service operators, and connected third parties in the vicinity of the conflict region.
The first outburst of retaliation from Iran was aimed at its neighbouring countries — Iraq, Saudi Arabia, and Dubai — and cyber retaliation may follow a similar pattern, at least in the short term.
Alongside a security and partner review, organisations should review their communication plans in the event of disruption, as well as the tolerance levels of their systems to outages in payments, logistics, and other critical services.
For organisations with high exposure to the region, the UK’s NCSC says, “adjust your cyber security posture accordingly” to ensure that data is protected and operations remain online.
A physical presence in the region appears to pose a much greater threat at the moment, as seen with the recent bombing of Amazon’s data centers, and businesses should review their investments in the region with the expectation that the conflict will last longer than a few months.