The recent upsurge in tensions between the U.S. and Iran has led to fears about an increase in both the frequency and aggressiveness of Iranian-sponsored cyber attacks. Iran has an extensive track record in this sphere, with government-backed cyber threat groups conducting numerous offensive cyber operations in recent years, including a number of highly destructive wiper attacks. While an uptick in such attacks is not a certainty, it is a distinct possibility and organizations should exercise extreme vigilance.
The capabilities of Iranian actors have evolved rapidly in recent years, from quick and relatively simple destructive attacks, such as distributed denial‐of‐service (DDoS) attacks or website defacements, to an increased focus on network compromises where the actors maintain a persistent foothold and obfuscate their presence to make attribution difficult. Iranian groups have also increasingly targeted critical infrastructure including energy and telecommunications companies.
Attackers associated with Iran have periodically carried out highly destructive disk-wiping attacks against targets in the Middle East. Historically, these attacks tend to coincide with periods of heightened instability in the region.
Most of these destructive attacks have involved the Shamoon disk wiper (W32.Disttrack). Shamoon first emerged in 2012 , when it was used in attacks against the Saudi energy sector. It reappeared again in late 2016, when a slightly modified version (W32.Disttrack.B) was used in another wave of attacks against Saudi Arabia.
A third wave of attacks occurred in December 2018, when Shamoon was once again deployed against a range of targets in the Middle East. Unlike previous Shamoon attacks, these attacks involved a second piece of wiping malware (Trojan.Filerase). This malware deleted and overwrote files on the infected computer. Shamoon itself would meanwhile erase the master boot record (MBR) of the computer, rendering it unusable.
Recent months have also seen the emergence of two new wipers, which appear to be evolutions of the original Shamoon wiper. The first, known as ZeroCleare (Trojan.Zerocleare) appeared in June and July of 2019, while in January 2020, the National Cybersecurity Authority of Saudi Arabia released a report about a wiper malware they called Dustman. Dustman is a further evolution of ZeroCleare, where the authors optimized functionality into a single file instead of the way it worked in the June/July campaigns.
Means of access
While destructive attacks are an obvious source of concern, potential targets should be aware that the evidence available to date suggests that the Shamoon attackers may not have compromised their victims’ networks themselves. In the aftermath of the 2016 Shamoon attacks, Symantec found evidence that the Iran-linked Greenbug and Timberworm espionage groups may have provided access to the victims’ networks. The 2018 attacks had a tentative link to the Iranian Elfin group (aka APT33), with one victim in Saudi Arabia having been compromised by the group shortly before Shamoon struck.
With this in mind, any organization that finds indicators of compromise (IOCs) related to any Iran-linked espionage group on their network should exercise extreme vigilance. While destructive attacks remain a relative rarity, a prior intrusion does appear to be a necessary precursor. Aside from the aforementioned groups, other Iran-linked groups that are highly active at present include Chafer, Crambus (aka OilRig), and Seedworm.
Given the recent history of attacks, it is evident that Iranian-sponsored groups consider destruction of equipment as an acceptable form of damage to targets. However, to date these incidents have only targeted Middle Eastern entities. Iranian actors have not yet shown an appetite for conducting similar attacks against organizations further afield. Considering the tense geopolitical climate in 2020 and based on previous Iranian activity, we believe cyber attacks originating from Iran or Iranian proxies would be (in order of descending probability):
- Wipers being used for destructive attacks against critical infrastructure
- Infrastructure for telecommunication providers being attacked to disrupt services
- Hacktivist defacements of popular websites
- DDoS attacks against financial entities
While Symantec has yet to see any evidence of a notable uptick in activity, this should not be misinterpreted, since planned operations could take some time to prepare and execute.
Organizations associated with the U.S. and its allies are an obvious target. While Iranian actors have, to date, heavily focused on organizations in the Middle East, attacks against the U.S. should not be ruled out, particularly considering the heightened state of tensions at present.
However, organizations based in the Middle East likely remain most at risk, given that Iranian groups know this region best and may already have ongoing compromises. Destructive attacks, such as those involving disk wipers, usually require some prior compromise of the organization’s network. This may mean that any potential destructive attacks could be focused on the Middle East, particularly if the attackers are under time pressure to retaliate.
Indicators of Compromise (IOCs)
|Shamoon||89850b5f6e06db3965d0fdf8681bc6e55d3b572c97351190c247b9c8b1419850||Disttrack.B Wiper malware|
|Shamoon||bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003||Disttrack.B Wiper malware|
|Dustman/ZeroCleare||becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86||Wiper malware (x64)|
|Dustman/ZeroCleare||2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d||Wiper malware (x86)|
|Dustman/ZeroCleare||36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c||ElDos driver (x64)|