Saturday, December 16, 2017

Iran, Blacklists and Red Sky Small Business

On Tuesday, the 60 day deadline Trump gave Congress to fix or scrap the 2015 Iran nuclear deal
Photo credit: Reuters

passed, leaving another deadline in mid-January for the State Department to act. Will it happen? Who knows, but what we do know is that cyber activity associated with pro-Iranian hackers appears to have been escalating over the last month, targeting organizations in the US, Qatar, Saudi Arabia, and others.

Earlier this year the Saudi government warned telecommunications companies of cyber attacks against 15 organizations, including the Saudi Labor Ministry, and Sadara, a venture between Saudi Aramco and Dow Chemical.

Wapack Labs is currently tracking 13 cyber groups with varying levels of pro-Iranian sentiment or Iranian association ranging from possible government sponsorship (APT) to pro-Iranian hactivism. 

Why do we care? In 2014, leading up to John Kerry sealing the original deal, we watched what we believed to be both APT and pro-Iranian hackers stockpile cyber tools and we called out the idea that if the deal went badly for Iran, both Iranian hackers and their cyber ally's could be preparing to use cyber as a possible equalizer.

Many of the tools that we saw being gathered back then took advantage of opportunistic targeting --they scanned a broad area of the internet and the tools automatically targeted those organizations that had openings that could be exploited through automation. At the same time, backdoors and other tools are used for targeted approaches against organizations of prominence or significance. This is not a new tactic. During the Petya/Not-Petya campaign, we reported that below the noise of the ransomware a second attack was operating that was targeting specific organizations in an attempt to steal credentials.

Cyber is the equalizer and will always be involved where there's geopolitical risk.

Starting in the mid-90's we watched the Mexican Zapatistas use DDoS tools against places like the German Stock exchange to garner support for their cause. Since then, hundreds of other organizations have followed suit. If not for bringing support to a cause, to attempt to change an outcome of an impending action, or for retribution. Even back then, the Zapatistas were not the direct actor in the fight, rather they allied with hacker groups who built DDoS tools and took their fight to public organizations --the German Stock Exchange, because they knew the action would appear in the news, and if associated, would bring attention to their cause. The effectiveness of this action could be debated. I'm probably one of a handful of people that tracked it enough to know the story.

That being said, I tell my team on a daily basis "Where there's geopolitical risk, there will always (now) be a cyber threat to someone". The Iranian story is no different.

In the past 45 days or so, we've seen long standing backdoors being used by actors who've been attributed by us and others to operating for, or operating in support of Iran.

In the last 18 days we've seen an uptick of a new attack profile with characteristics similar to previous attacks. If the linkage is true, then we've likely seen the escalation.

BT

Changing gears. We're heading into Christmas. Last week we ran two days of fraud related presentations -one for Red Sky Alliance members, and one for the general public. Our second day was announced through a public service announcement on WMUR, the local ABC affiliate in New Hampshire, and for those of you who attended, we hope you found it useful.  Throughout the holiday period we've been publishing Black lists with monitor and/or block recommendations for addresses ranging from fraud to theft. Thank you to those of you who've provided feedback.

Last, we've opened the Red Sky Small Business Alliance - a no-cost location for small businesses to come for help. If you qualify as a small business under the SBA rules, please, feel free to join us. Both Red Sky Alliance and Red Sky Small Business Alliance are now officially registered with DHS as Information Sharing and Analysis Organizations, affording the CISA legal protections to those who request assistance.

Red Sky Small Business can be found at redsky-sba.ning.com.

As always, if you have any questions on services offered or membership in the information sharing environments, drop us a note.

Until next time,
Have a great weekend.
Jeff