Despite a declared ceasefire between Iran and Israel and ongoing negotiations towards a permanent solution to the conflict, Iran-backed cyber actors and hacktivist groups supporting Tehran may still conduct malicious cyber activity.
This warning has been issued by four US federal agencies a security advisory published on June 30.
The document said that Iran-backed threat actors could target poorly secured US networks and internet-connected devices for disruptive attacks, especially by gaining access through weak passwords or exploiting known or unknown vulnerabilities in unpatched or outdated software.
“When specifically targeting operational technology (OT), these malicious cyber actors also use system engineering and diagnostic tools to target entities such as engineering and operator devices, performance and security systems and vendor and third-party maintenance and monitoring systems,” noted the advisory.
Additionally, Iranian-aligned hacktivists could conduct website defacements and leaks of sensitive information exfiltrated from victims.
Hacktivists may even team up with financially motivated groups to deploy ransomware and cyber extortion campaigns against US organizations.
The document emphasized that companies that are part of the US Defense Industrial Base (DIB), particularly those possessing holdings or relationships with Israeli research and defense firms, are “at increased risk.”
The DIB encompasses a wide array of companies, both domestic and foreign, that provide the US Department of Defense (DoD) with essential goods and services. This includes entities involved in defense research and development, manufacturing, logistics and maintenance of military equipment.
Preventing Cyber Threats from Iran-Aligned Hacking Groups
The advisory also provided a list of recommendations for US-based organizations to mitigate cyber threats from Iran:
- Disconnect OT and industrial control system (ICS) assets from the public internet, particularly those using remote access technologies (e.g. VNC, RDP, SSH) and web management interfaces. If remote access is necessary, enforce a deny-by-default allowlist policy to restrict unauthorized access
- Strengthen authentication measures by enforcing strong, unique passwords (replacing default or weak ones) and implementing phishing-resistant multifactor authentication (MFA) for OT network access. Additionally, apply role-based access controls (RBAC) and conditional access policies for cloud or managed services
- Apply the latest software patches to internet-facing systems to protect against known vulnerabilities and monitor user access logs for remote OT network access and unauthorized configuration changes
- Implement operational safeguards to prevent unauthorized changes, loss of control, or loss of visibility in OT environments, such as keeping programmable logic controllers (PLCs) in run mode, using hardware/software interlocks, and maintaining redundant safety systems
- Ensure robust business continuity and incident response plans, including full system and data backups for recovery. Regularly review, update, and rehearse incident response procedures to improve readiness
- Prepare for credential leaks by assessing how exfiltrated data could be exploited and implementing security mechanisms to mitigate the impact of potential breaches
This advisory was signed by the FBI, the NSA, the US Cybersecurity and Infrastructure Security Agency (CISA) and the DoD’s Cyber Crime Center (DC3).
It comes a few days after the US Department of Homeland Security (DHS) issued a warning to US citizens of a heightened risk of cyber-attacks by Iran state-sponsored threat actors and hacktivist groups following American military strikes against Iranian targets.