Iran war will bring wave of ‘low-level cyber activity,’ says intelligence group
Print out critical documents. Sanitize social media accounts. Prepare for attacks, both on- and offline. And if you’re planning a big upgrade, think about how potential rate hikes, cloud service outages or global supply-chain disruptions might complicate it.
This was some of the advice aimed at state and local government officials during an online briefing held Tuesday by an information-sharing group operated by the Center for Internet Security, an Upstate New York nonprofit that’s striving to keep its members informed on the physical and cybersecurity threats they face after the United States and Israel last weekend began their deadly strikes on Iran.
President Donald Trump’s decision to carry out a war of “overwhelming strength and devastating force,” was welcomed by Israeli Prime Minister Benjamin Netanyahu, who for months has solicited aid for such a conflict. Conflict having commenced, the United States military appears prepared to sustain a campaign that will last for at least several weeks; for state and local officials, this will likely mean a growing volume of “low-level cyber activity,” like distributed denial-of-service attacks and website defacements, organizers of the center’s Multi-State Information Sharing and Analysis Center said during Tuesday’s briefing.
Though military strikes have left internet service highly unstable across much of Iran, TJ Sayers, MS-ISAC’s senior director of threat intelligence, said there are at least a couple reasons for government agencies to anticipate a wave of cyber activity, one being that hacktivist and proxy groups are beginning to form a “collective,” “which would give them a little bit more robust targeting capabilities.” Palo Alto Networks’ Unit 42 this week reported seeing a “surge” in activity that includes as many as 60 politically motivated cyber groups that are aligned with Iran or Russia.
Another reason to prepare for cyberattacks, Sayers said, is that Iran has allies: It’s allowing Chinese and Russian vessels through its shipping corridors, and Russia has begun information campaigns that amplify reports, “confirmed or not,” of Iranian casualties. (The New York Times reported Tuesday that nearly 900 people had so far been killed in just a few days of war. The dead include not only Ayatollah Ali Khamenei, Iran’s supreme leader, but many civilians. A strike on a girls school on Saturday killed 175 people, most of them children.) Sayers said his group anticipates Russia will use images, including AI-generated deepfakes, to erode public support for the war and “to fracture U.S.-Israel coalition.”
“Russia will almost certainly try to justify their ongoing war with Ukraine” by pointing to U.S. and Israeli intervention in Iran, Sayers continued. And China, he said, may point to this conflict, and the recent U.S. strikes on Venezuela, to justify a future invasion of Taiwan. Both could use the ongoing chaos to augment cyber campaigns against all levels of U.S. government, said Sayers, who added that the financial, energy and government sectors are expected to attract the most attention.
He pointed to recent surges of activity by Iran-linked groups, including MuddyWater, FAD Team and DieNet, as indicators of what the coming weeks may bring. Iranian cyberattacks against state and local governments are not certain, but what’s less uncertain is that the region’s violence will destabilize the globe’s technological ecosystem. Damage to Amazon Web Services data facilities in recent days — two in the United Arab Emirates and one in Bahrain — drove global service outages. Google, Microsoft and Oracle, though not yet affected, also house computing facilities in the Middle East. “A lot of civilian infrastructure is being hit,” Randy Rose, MS-ISAC’s vice president for security operations and intelligence, said during the briefing.
Rose also pointed at other “high value soft targets”: undersea cables, internet exchange points, cloud infrastructure and global navigation systems, the latter of which are already being jammed. “Iran’s also targeting civilian shipping vessels and tankers,” Rose said. “Even a partial or short-term closure [of shipping lanes] can trigger cascading effects, from prices in crude oil going up, but also supply chain disruption in technology.”
At the briefing’s conclusion, organizers offered numerous recommendations, while the group’s members — (MS-ISAC now claims more than 18,000 state, local, tribal and territorial governments as members) — flooded the chat with thumbs up, confetti and heart emojis. Organizers urged their members to patch “high-impact environments” — such as critical and cloud infrastructure — and to prioritize public-facing services. They encouraged carefully validating user input on forms, to limit SQL injections, and using firewalls and content delivery networks to mitigate potential DDoS attacks.
They even recommended officials take steps to limit the availability of extraneous information about their employees and organizations on public websites, to “sanitize” social media accounts and to request that data brokers and real-estate aggregators delete any stored information: “You don’t want to be a low-hanging fruit if there’s a physical attack,” Sayers said.
A man wearing clothes displaying an Iranian flag design and the words “Property of Allah” on Sunday killed two people and wounded 14 others at a bar in Austin, Texas, an attack the FBI is investigating as a possible terrorist attack. Sayers encouraged vigilance along the Mexican and Canadian borders, where he said “Iranian-aligned proxy groups” may be waiting to “engage in violence.” “Any type of U.S. government, whether federal or local, would be a prime target for these types of physical threats,” he said.
Melissa Bischoping, the senior director of security and product design research at the cybersecurity firm Tanium, who did not attend the briefing, said that at the start of any major geopolitical conflict, everyone becomes concerned about potential “cyber fallout.” So far, she said, “we’re not currently seeing a lot of credible, validated campaigns targeted specifically targeting state and local infrastructure, but — and it’s an important but — that doesn’t mean there’s not a risk that people need to be aware of and that organizations need to be planning for, because Iran does have a history of targeting municipal infrastructure and this would be in their potential wheelhouse to do.”
Bischoping’s advice was largely similar to that of the MS-ISAC’s: Nail the basics of patching and hardening the pieces of equipment that are “typical targets” of attackers, like VPN devices and edge routers. But she also offered a familiar piece of political advice: “Never waste a crisis. I think if you’re a technology leader in an organization, this is a good time, because it is going to be top of mind with the people making the decisions about modernization and budget and what you’re able to accomplish.”
