State and local government cybersecurity officials should raise their monitoring for suspicious network activity in the wake of the U.S. airstrike last week that killed Qassem Soleimani, the top commander of Iran’s security and foreign intelligence forces, according to an advisory by the Multi-State Information Sharing and Analysis Center obtained by StateScoop.
The MS-ISAC’s cyber intel advisory, issued last Friday, instructs state and local governments to “maintain heightened log monitoring and awareness” of activity on their networks, particularly as they pertain to critical infrastructure.
“While [the Department of Homeland Security] assesses there are currently no specific credible threats against our homeland, it anticipated an Iranian cyber response to the U.S. is likely to involve destructive malware with intent to disrupt U.S. critical infrastructure,” reads the advisory which is labeled “Traffic Light Protocol (TLP) Green,” meaning it can be distributed among the issuing organization’s partners — in this case, the MS-ISAC’s member governments.
The death of Soleimani, who led the Quds Force, the elite division of Iran’s Islamic Revolutionary Guard Corps, prompted swift threats of retaliation from the Iranian government, which is known to have advanced cyber capabilities. Shortly after Soleimani’s death was confirmed last Thursday, Chris Krebs, director of DHS’s Cybersecurity and Infrastructure Security Agency, sent out a reminder about Tehran’s reputation for online attacks, which have targeted industrial control systems and other critical infrastructure.
On Friday, several websites offering tourism information about U.S. cities were defaced with pro-Iranian messages, though none of those sites are run by government organizations. The website of the Federal Depository Library Program, which is run by the Government Publishing Office, was also defaced over the weekend by actors who identified themselves as “Iran Cyber Security Group Hackers,” the Washington Post reported, though U.S. officials have not confirmed any direct connection to the Iranian regime.
The MS-ISAC memo reiterates CISA’s warning, telling recipients to familiarize themselves with Iran’s tactics, techniques and practices. Hacking groups linked to the Iranian government are known to launch distributed-denial-of-service attacks, as well as “wiper” attacks that destroy files beyond the point of recovery. The memo also states that Iranian cyber actors have been known to employ “password spraying,” a brute-force tactic in which commonly used passwords are guessed against a large number of accounts to obtain entry to targeted systems.
The advisory makes several recommendations for state and local government IT organizations, including being vigilant against potential DDoS and wiper attacks. It also suggests that governments evaluate third-party access to their networks, including — if necessary — their managed service providers “to ensure appropriate steps are being taken to mitigate risk.” Multiple ransomware attacks against local governments in 2019 are believed to have originated through vulnerabilities exploited in managed service providers.
Additionally, the memo encourages governments to keep their systems updated with the latest security patches and to ensure system backups are stored offline.
The Center for Internet Security, the nonprofit organization that operates the MS-ISAC, did not respond to a request for comment.