Drone Strike Prompts Vow of Retaliation from Iran
On January 3rd, a targeted drone strike by the U.S. killed Qasem Soleimani, the commander of the Iranian Quds Force responsible for clandestine operations and support for non-state actors in the middle east. Iran has vowed “revenge” for this action, and the last two decades have shown us that state actors have not restricted cyber operations to military or government targets. In addition to whatever kinetic actions Iran might take, the consequences of the strike will almost certainly include a cyber element.
Targeting of Critical Infrastructure by Cyber Operations
Cyber operations are conducted by state-sponsored military and intelligence on a continuous basis. Organizations involved in defense or critical infrastructure are targeted by attacks and compromises that establish access and seek to identify and exfiltrate sensitive data. It can be surprising to see who is targeted, most of all to the targeted organizations, when those targets unwittingly have data on individuals with security clearances. Cyberespionage is ongoing, by many different governments, regardless of the state of international relations.
In the wake of a significant attack, like the January 3rd strike, however, the goals of retaliatory cyber-attacks are likely to be very different than the usual actions taken by the state-sponsored groups. The end-result of an “Irani revenge” cyber operation would be destructive or disruptive in nature. Access established in cyberespionage operations can be leveraged to delete data, rather than exfiltrate it, or to impact the availability of critical systems.
Vulnerabilities may Lead to Denial and Disruption
Many vulnerabilities in networks and software are not terribly useful for stealing data or maintaining access to a network. Our penetration testers often find vulnerabilities in uninterruptable power systems (UPS) and other power management systems for data centers during our engagements with clients. It’s tempting to downplay the severity of these vulnerabilities, as they do not give attackers elevated access to data. If an attacker is interested in disruption, however, being able to turn off power or interfere with the operation of cooling systems will wreak havoc on a target without having to have administrative credentials across the entire network.
Organizations involved in national critical infrastructure have a lot of concerns as well, especially with regard to ICS/SCADA systems that may be subject to attack, but many other organizations have power and other cyber-physical dependencies that are vulnerable. Many businesses do not see themselves as targets for state-sponsored actors, but do not realize that they could be targets of opportunity. Even beyond state-sponsored actors, independent nationalistic groups may take it upon themselves to attack U.S.-based organizations.
Identification of Possible Denial and Disruption Vulnerabilities
Did your most recent penetration test take denial of service and other disruptive attacks as seriously as those involving access and theft of data? While it is difficult to test these vulnerabilities without impacting operations, a good penetration test should involve the identification of possible denial/disruption vulnerabilities and analysis of the possible impact. These vulnerabilities should be taken as seriously as those involving broad access to the network, as some cyber operations will be just as happy to keep you from conducting business as stealing your data.