Recent geopolitical events around Iran have led to increased worries around Iranian cyber threat actors, both state actors and ideological hacktivists. Guardicore suggests that security professionals in charge of networks be extra vigilant in the coming weeks for opportunistic attacks.

As always, Guardicore proactively monitors our customers networks and will notify and update in case of concrete malicious activity in networks. Our cyber security analyst team will continue to monitor current events and escalate events that require intervention.

As of now, the Guardicore Global Sensor Network (GGSN) of deception servers reports no change in the threat landscape from typical weeks and that there is no reason for alarm. However, this is a good excuse to check your network security and make sure your systems are properly configured to detect malicious activity. The U.S. CISA and the U.S. Department of Homeland security have published insights and guidance on how to best be prepared.

The last year has seen a lot of Iranian state backed activity in multiple fields, ranging from disinformation and media influencing attacks to attacks on safety critical networks. This activity has been tracked by multiple groups, such as Microsoft, FireEye along with Facebook, Twitter and other large media companies.

Some examples include multiple successful DNS hijacking attacks, starting in 2018 and continuing in 2019 (as reported by FireEye) along with professional long term espionage campaigns. Iran has also figured prominently in the media influence discourse, creating fake news websites and social media campaigns using human and bot activity.

Most worrying is a new focus of Iranian state actors targeting physical control systems in many safety critical networks such as power plants, factories and oil refineries.

The most concrete steps we urge defenders to take are to make sure your systems are patched and have legacy systems segmented away from the Internet. Unpatched vulnerabilities and credential reuse are the two best vectors for any state sponsored group and Iran is no different. Make sure that you prioritize patching to handle vulnerabilities that are known to be used by different threat actors, or seal off such systems from remote access.For example, thousands of networks still expose vulnerable Pulse Secure VPN appliances, Sharepoint websites vulnerable to simple remote code execution attacks and old Microsoft Office installations. These make easy targets for attackers and should therefore be prioritized.

Guardicore Labs threat researchers and cyber security analysts will continue to track this and other cyber threat trends. If you have any questions or would like to better understand the risk you’re facing, please reach out to us at labs@guardicore.com.