Iran: As has been widely reported in the media since late yesterday, a U.S. airstrike on militant forces at Baghdad International Airport resulted in the death of a top Iranian General. Major General Qassim Suleimani was the commander of the Islamic Revolutionary Guard Corps’ (IRGC) Quds Force. The IRGC was designated last year as a Foreign Terrorist Organization, or FTO, by the U.S. State Department primarily because of the Quds Force. Quds Force’s main mission is to train, supply, advise, and support other Islamic groups, especially Shia groups such as Hezbollah, which is also designated as an FTO. In recent years, the IRGC have been expanding their own cyber-operations independent of Iran’s main government cyber-forces. Their close ties to forces outside of Iran have led many to wonder if those same cyber-capabilities are currently, or will be, shared with other designated FTOs by the IRGC through the Quds Force. Iranian cyber-attacks have traditionally ranged from distributed denial-of-service (DDoS) attacks against financial institutions, destructive attacks using the Shamoon malware, or its variants, and ransomware attacks. The IRGC have specifically proven themselves extremely adept at infiltration of networks and in creating mobile malware which is able to slip past security measures on both the App Store and Google Play. They have done this by creating application publication companies which produce legitimate apps. Once those publishers are trusted, they will then begin producing applications laden with malware or pushing updates to existing applications which have malicious payloads. The IRGC have also infiltrated legitimate application publishers to upload their own malicious payloads to those publishers’ applications. The current regime in Iran has been working hard over the past several years to project power, not only throughout the region but also on a global scale.
This kind of strong blow to Iran itself, let alone the IRGC which reports directly to the Ayatollah, is unlikely to be left unanswered by Iran. While many are focused on a physical response in the region the possibility of a cyber-attack in response should not be discounted, especially in light of the IRGC and Iran’s expanding cyber-operations. The greatest risk in the short term is to U.S. interests in the region, as well as the interests of U.S. allies in the region. This would include both military interests and private industries–such as manufacturing, energy production, and finance. Saudi Arabia is already operating in a state of high alert in preparation of a cyber-attack from Iran or a physical attack through one of the many groups supported by the Quds Force in the region, including Houthi forces in Yemen. Reasonable precautions that private industry should take include ensuring that business-critical data is backed up in a safe location, not accessible to attackers on the network, keeping anti-virus signatures up to date, reminding employees to be extremely cautious of opening Word and Excel files with macros that were sent from an external email account, and employing endpoint detection and response sensors on workstations and servers that provide early warning of attacker behaviors using system tools that would not otherwise trigger an anti-virus alert. It is also prudent to remind anyone with privileged access to critical systems about ways to recognize social engineering methods, which have been a staple of many cyber-intrusions by the Islamic Revolutionary Guard Corps (IRGC). In many cases, these intrusions are utilized to both exfiltrate valuable data, which has been reused to aid in attacking other organizations, and to ensure a strong foothold on a network prior to launching a more destructive attack.