CISA Warns of Iran’s Offensive Cyber Capabilities

Protesters burn pictures of the U.S. President Donald Trump, top, and the President-elect Joe Biden in a gathering in front of Iranian Foreign Ministry on Nov. 28, a day after the killing of Iranian scientist Mohsen Fakhrizadeh.

Protesters burn pictures of the U.S. President Donald Trump, top, and the President-elect Joe Biden in a gathering in front of Iranian Foreign Ministry on Nov. 28, a day after the killing of Iranian scientist Mohsen Fakhrizadeh. Vahid Salemi/AP

One observer suggests the alert is meant more for the adversary than defenders.

Amid renewed tension between the U.S. and Iran, the Cybersecurity and Infrastructure Security Agency issued a warning to be vigilant for activity from Iranian hackers.

“Iranian cyber threat actors have been continuously improving their offensive cyber capabilities,” reads the alert released Thursday evening by the National Cyber Awareness System. “They continue to engage in more conventional offensive cyber activities ranging from website defacement, distributed denial of service attacks, and theft of personally identifiable information, to more advanced activities—including social media-driven influence operations, destructive malware, and, potentially, cyber-enabled kinetic attacks.”

CISA used almost the exact language to describe threats associated with Iran in January when it issued an alert following the U.S. assassination of General Qasem Soleimani, a prominent leader of the country’s military intelligence operations.

Thursday’s alert, in which CISA encouraged users and administrators to review previous advisories for information on Iranian advanced persistent threat actors’ tactics, techniques and procedures, comes in the wake of another high-profile assassination last week. Iran has attributed the killing of Mohsen Fakhrizadeh, its top nuclear scientist, to Israel, and the country’s foreign minister on Thursday implied the West is complicit for not condemning what he referred to as an act of terrorism.

"I believe this communication is meant more for the Iranian government than anything,” said Mike Hamilton, former vice chair of the Department of Homeland Security's state, local, tribal and territorial government coordinating council, regarding the alert. “Because of the recent assassination, tensions are running high, and some retaliation is expected. A kinetic response is not possible but a cyber response is, and actors would work hard to avoid attribution. This is letting the Iranians know that our defenses are up, we know their TTPs and can identify them if they choose to act.”

Hamilton co-founded and is the chief information security officer for the cybersecurity firm CI Security, which aims primarily to serve the public sector. He also connected a Tuesday advisory CISA and the FBI issued on advanced persistent threat actors targeting think tanks to the U.S. relationship with Iran.   

“It’s likely fresh in Iranian memories that the U.S. identified and indicted Iranian actors for targeting U.S. think tanks, and we’re letting them know our radar is still up," he told Nextgov.

Two Iranian nationals, sometimes acting at the behest of their government, allegedly conducted a campaign of coordinated cyber intrusions against a Washington D.C.-based think tank, as well as at least one foreign government entity, foreign and American universities, a defense contractor, an aerospace company, and non-governmental non-profits, all of which they saw as Iran’s adversaries, according to an indictment of the individuals the Justice Department released in September.

Israel has not confirmed nor denied its involvement in the assassination of the nuclear scientist but a U.S. official reportedly told the New York Times the close U.S. ally is responsible. 

Tensions, and the desire for insight into U.S. plans and thinking, are likely to continue as Iran and the U.S.—under President-elect Joe Biden’s leadership—enter into a game of chicken over which country will first recommit to the terms of a 2015 arrangement. The nuclear deal, established by President Obama and undone by President Trump, relieved sanctions on Iran in exchange for a promise it wouldn’t pursue uranium enrichment.

As Iran appeals to the U.S. and European countries to resume economic ties and once again undo sanctions, its parliament is pushing to resume the country’s nuclear program. Javad Zarif, the Iranian foreign minister, said such a move can also be reversed, noting, “we have an open eye and open ear, we should all be forward-looking to mend a disaster of four years of the Trump administration.”    

The Biden administration highlighted cybersecurity in selecting individuals to serve in top foreign policy and national security posts. Most of the attention, as it relates to cybersecurity, has been focused on China, but cyber intelligence experts suggest Iranian relations should also be a crucial consideration. 

“We judge that Iran uses online information operations to support its geopolitical objectives and has refined an array of tactics that it continues to hone,” a spokesperson for Mandiant Threat Intelligence said in an email to Nextgov.