As cyber security professionals we often look at technical factors in isolation. Whilst these indicators and behaviours provide great value, individually they miss important preliminary steps of identifying priority adversaries.
A good understanding of all adversaries can help answer the important question, who is likely to attack us, and why? Whilst the primary focus of most criminal enterprises is financial gain, offensive cyber action by nation states is likely to be rooted in geopolitics. Having an understanding of national political objectives can help determine if, and why, a nation state is likely to target your organisation.
When considering adversaries on the world’s stage it is important to understand those with offensive cyber capabilities and political motivations to use them, such as Iran.
By exploring Iran’s background and previous cyber offensive strategies, this blog will consider their motivations and potential targets.
The institutional Iranian psyche is rooted in the Iranian Revolution of 1979. The revolution’s slogan was “neither East nor West, only Islamic Republic” (“Na Sharq, Na Gharb, Faqat Jumhuri-e Islami“). Today this slogan accurately describes the Iranian approach to foreign policy whereby they position themselves as the centre of the Islamic world. Iranian influence is expressed indirectly through conflict to increase regional instability especially against Israel, Iraq, Saudi Arabia and Western forces operating in the region.
Although Iran has been involved in a number of international armed conflicts including invasions by British and Russian forces during both World Wars, it has never been the direct initiator of a conflict. The Iran-Iraq war in 1980 initiated by Saddam Hussain took advantage of the turmoil created by the Iranian Revolution, some estimates suggest over a million people died in this conflict.
In the Middle East, Iran is a major military player. However, its adversaries also have strong conventional forces which continue to influence the Iranian approach to conflict. Iran has historically chosen indirect engagement with adversaries in order to disrupt their opponents and exert regional influence. The evolution of offensive cyber capabilities and common use of cyber operations has provided a new frontier for offensive actions and is highly likely to increase further.
Using the MITRE ATT&CK framework we can identify 11 offensive cyber groups that have links to Iran. In volumes of groups alone this is second only to China. These groups and their targets include:
It’s reasonable to conclude that Iran has a competent cyber capability that targets a broad range of sectors that align to their geopolitical interests. Offensive cyber operations align with their tactics in the physical domain and activity is likely to increase given recent events.
“Iran should be considered a first-tier cyber power”Gabi Siboni, a cyber security expert with Israel’s Institute for National Security Studies
Since the US airstrike on Major General Soleimani tensions have escalated. The risk of offensive cyber operations against new Iranian targets beyond their traditional opponents in the Middle East has increased and it is logical to assume there will be a particular focus on Western powers.
Even if the effects of the offensive operations are not publicly observed, threat actors will pre-position and infiltrate networks for potential future use for information exploitation and disruptive effects.
Additionally Iran has internally produced a range of arms including ships, submarines, torpedoes and planes. If Iran were to focus on a military build up, offensive cyber operations are also likely to target international defence and manufacturing firms in order to make use of their intellectual property. This has been seen with other national threat actors where designs and plans to build advanced equipment have been stolen, it’s even more pressing when international sanctions are impacting their economy and abilities to manufacture.
If you or your organisation are concerned about potential Iranian threat actors you will want to take measures to ensure you have sufficient controls in place to defend yourselves against the most likely techniques. Based upon previous Iranian cyber attacks, the top 5 techniques are:
After developing a detailed view of your adversaries and techniques they are likely to employ it is important to accurately model your own defences against each technique. Your modelling should detail your ability to prevent, detect and respond to each one of these techniques. It’s impossible to prevent many techniques without impacting business operations so ensuring you have sufficient coverage to detect and respond to these is important.
Intersecting likely adversary techniques with your own defences will highlight current areas of weaknesses within your businesses that you may wish to address such as; the education of your teams, changes in process or controls and the investment in cyber security technology.
At SenseOn, we help organisations of all sizes from around the world by automating the process of threat detection, investigation and response across their entire digital estates. These detections are mapped to the MITRE ATT&CK Framework to help our customers better understand the threats and adversaries they face.
Explore our collection of eBooks, webinars, articles, and more to help you maximize your understanding of emerging threats, adversary techniques and how to detect cyber attacks.Visit resource hub
Join thousands of like-minded professionals who are already receiving our blog updates and best practice guides.