When Iran launches cyberattacks in revenge for the killing of Major Gen. Qasem Soleimani — which it almost certainly will do — the attack vector, as always, will be Windows. And when that happens, your PC and your business’s PCs will be right in the crosshairs. Here’s why — and how you can protect your machines and your business.
A long history of U.S.-Iranian cyberwarfare
To understand the coming cyberattacks, it’s useful to look back. For more than a decade, the U.S. and Iran have engaged in low-level cyberwarfare, with occasional bursts of higher-level attacks. The most destructive of them was Stuxnet, launched in 2009 by the U.S. and Israel against Iran’s nuclear program. It exploited four zero-day flaws in Windows machines, which controlled the centrifuges Iran used to create nuclear material that can be used in nuclear weapons.
Stuxnet snuck into the machines through the flaws, then took over the Siemens software that operated the centrifuges and ordered thousands of them to spin so fast they self-destructed. The damage was so great that it was believed to have set back Iran’s nuclear program by years. Many people believe the attack was a motivating factor in Iran signing the 2015 deal to curtail its nuclear program in return for economic sanctions against it being lifted — a deal that is no longer honored by the U.S.
After Stuxnet, Iran went on the offensive, exploiting Windows vulnerabilities over a period of years to attack more than 45 U.S. financial institutions, including the New York Stock Exchange, JPMorgan Chase and Wells Fargo. Iran also took over the command-and-control system of a dam outside New York City and hacked the servers of a casino owned by billionaire Sheldon Adelson, a prominent Republican donor who recommended that the U.S. launch a nuclear attack on Iran.
The Iranian strikes have continued at a lower level through the years, and in all cases, Windows has been involved. The attack on U.S. financial institutions, for example, was a denial-of-service (DoS) attack using a vast botnet of infected Windows PCs. Iran is also believed to be behind the well-publicized ransomware attack on the city of Atlanta. Spearphishing was used to trick city employees into downloading Windows-based ransomware, which then did its damage.
Iran readies its next wave of attacks
There’s evidence that even before the killing of Soleimani, Iran had been ramping up its cyberattack infrastructure. This came to light in June, as tensions between the countries spiked when Iran seized an oil tanker in the Strait of Hormuz and the U.S. shot down an Iranian drone in response. Foreign Policy magazine reported then that “With relations between the United States and Iran balanced on a knife’s edge, Iranian operatives are doing the work necessary to be able to digitally strike at the United States.”
Among Iran’s preparations, according to the security firm Recorded Future, was the registration of more than 1,200 command-and-control domains linked to Iran. More than 700 of those domains were already communicating with machines that had been infected.
Experts expect Iran to use tools like these and Windows malware to strike back at the U.S. in retaliation for the killing of Soleimani. Kiersten Todt, managing director of the Cyber Readiness Institute, told CNN, “Iranians will certainly try to retaliate — definitely in the region, and they will also look at options in our homeland. Of the options available to them, cyber is most compelling.”
The Department of Homeland Security’s National Terrorism Advisory System agrees, and after the Soleimani assassination put out a bulletin that warned, “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
But U.S. critical infrastructure is generally well-protected, security experts say. So are government agencies and some big tech companies. Columbia University computer science professor Steven Bellovin told CNN that agencies like the CIA and NSA and tech companies like Google and Amazon are probably impervious to attack. However, he warned, “most companies aren't as good as these” at protecting themselves.
Last summer, cybersecurity expert Zak Doffman echoed that in Forbes when he wrote, "Iran understands that retaliation against the U.S. military in the cyber domain might be akin to throwing rocks at a tank, but it can hit the vast and under-protected U.S. corporate sector at will.”
Given that Iran can’t wreak destruction with cyberattacks, it will likely settle for disruption. And that means launching attacks at many different types of businesses and industries, even if they’re not connected to the military or vital infrastructure.
Those attacks will all be Windows-based. And once those Windows attacks are unleashed, they take a life of their own, and spread randomly to individuals as well as businesses. Which means that your machines could well be hit.
It’s likely that the attacks will be of the types to which we’ve become accustomed, spread by phishing and spearphishing, and seeking out machines that have security holes. And that’s actually good news. Because it means that if you practice basic computer hygiene, you likely won’t be infected. So, first, make sure all of your computers and all of the software on them are updated with the latest security patches. In addition, follow all the usual warnings about not opening attachments that you don’t know are headed your way, and not clicking on links unless you know that someone you trust has sent them. Make sure all of your servers and websites have the latest security patches as well.
Do all that, and even if Iran does unleash cyberattacks on the U.S., you and your business will be more likely to remain safe.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.