Further escalating hostilities in Iran could leave state and local governments in the crosshairs of hacktivists aligned with the regime as they look to retaliate in cyberspace, experts warned this week.
While internet traffic in Iran itself has dropped precipitously since the U.S. and Israel began their bombing campaign over the weekend, observers with the nonprofit Multi-State Information Sharing and Analysis Center warned that groups aligned with the Iranian regime in other countries may strike vulnerable targets, including government websites, financial services and the energy sectors.
Randy Rose, MS-ISAC’s vice president for security operations and intelligence, said this could at first take the form of “low-level cyber activity” like denial-of-service attacks, website defacement and malicious code injections. And TJ Sayers, MS-ISAC’s senior director of threat intelligence, said those efforts are all part of those hackers’ plans in the event that the regime fell.
“What we are seeing, and this is largely happening from outside of Iran, is hacktivist organizations are basically mobilizing to try to start targeting domestic U.S. and allied networks,” Sayers said during a webinar hosted by MS-ISAC and the Center for Internet Security. “This is largely based upon prior guidance that they’ve received from Iran, that if a red line was crossed, like the killing of the Supreme Leader [Ayatollah Ali Khamenei], that they should carry out operations like this, and in some cases, they’re even operating autonomously.”
Rose said any cyberattacks would come as part of an “invisible war” waged over the “cyber domain” for the past decade. And there have already been some apparent Iran-linked skirmishes in cyberspace, as a U.S. port was targeted with a DDoS attack by the DieNet group, while the Fatimiyoun Cyber Team, known as FaD Team, claimed to have injected code and released personally identifiable information from a township in the U.S.
Sayers warned governments to stay vigilant, as it appears, based on their observations, that hacking groups are starting to cooperate, rather than work autonomously.
“The hacktivist groups are largely operating independently, but we are starting to see some coalescence of these hacktivist groups to form somewhat of a collective, which would give them a little bit more robust targeting capabilities and kind of help unify their targeting efforts,” he said.
Another worry for U.S. state and local governments could be the potential targeting of physical infrastructure many rely on, including data centers. Two Amazon Web Services data centers were reportedly hit by Iranian drone strikes in the United Arab Emirates, leading to disruptions in various digital and financial services in the region. Those attacks and others in the Middle East led Recorded Future’s Insikt Group to conclude in a blog post that if hostilities in Iran escalate further, “the likelihood of state-sponsored destructive cyber operations against critical infrastructure increases significantly.”
“The targeting profile for the near term includes Israeli media outlets, telecom providers, and SMBs, with US and Gulf organizations in the escalation path,” the blog post continued. Recorded Future also warned that critical infrastructure could be under more threat if hacktivists “shift” their target to it.
And some state and local governments may face supply chain issues in the coming weeks, especially if their technology is Israeli-made, Sayers said. Disruptions in the Strait of Hormuz could spark higher energy prices and result in delays of equipment arriving, he added.
One other aspect for governments to monitor is Iran’s efforts to spread disinformation and social media manipulation to try to undermine public opinion on the conflict. And with new technologies available to hackers, including artificial intelligence, Rose warned that those efforts could take on a new dimension.
“Historically, Iran has been a capable [information operations] actor,” he said. “[Right] now, as they’re absorbing kinetic losses from conventional warfare, they are pivoting their resources. We’re not seeing a ton of information operations right now, but we anticipate those narratives targeting Western public support for the conflict, amplification of imagery, particularly AI-generated deepfake imagery and attempts to fracture the US-Israel coalition, are likely to spike in the coming weeks.”
Read the full article here