Businesses should expect that Iran will conduct more aggressive cyber-ops as the war escalates, according to security analysts.
"Cyber and terrorism are the two levers that I believe Iran will pull now that their navy is decimated," retired US Army Lt. Gen. Ross Coffman told The Register. "What we saw against Stryker - it's just the beginning."
Stryker is a medical technology outfit that was last week hit by a cyber crew with ties to Iran's intelligence agency, causing a global network outage at the company. The attack represented the first destructive cyberattack to hit a US-based company during the Iran war. A week after the attack, Stryker's ordering and shipping systems remain offline.
"The Stryker hack marks the first time that Iran executed a successful full-blown disruptive attack against a major US corporation, especially against a company that plays a critical role in the healthcare supply chain." Sergey Shykevich, threat intelligence group manager at Tel Aviv-based Check Point Research told The Register. "It's a very clear signal that Iran sends about its capabilities, but even more about its intentions and courage to execute such operations."
Iran is a less predictable cyber-adversary than nations like China and Russia. It has been conducting cyber-espionage, phishing, and disinformation campaigns for more than 15 years. It's also adept at hack-and-leak operations, and nuisance-level denial-of-service attacks. The nation’s offensive cyber teams have also developed custom malware that can remotely control water and fuel management systems.
But so far, most of their cyberattacks to date have been opportunistic - such as those in 2023 that used default passwords to break into internet-accessible programmable logic controllers used in multiple US water systems.
Even with the Stryker cyberattack, Iran "had every capability to be more sophisticated, and they did not," said Tal Kollender, a former Israel Defense Forces cyber specialist who cofounded and leads a security company called Remedio.
Another threat analyst, who asked to remain anonymous because of safety concerns, told The Register, "Iran has been using cyber aggressively for quite a while – particularly in Israel – and so there's no secret weapon that they've been holding back."
"We're not suddenly going to see some new level of aggression, because they've essentially been demonstrating their capability for quite a while, so we can really expect to see more of the same," the analyst continued. "The bigger concern is just that Iran is going to hit more targets" beyond Israel, expanding to the Gulf states, the US, and any other allied countries.
"[Iranian] actors are generally looking for targets of opportunity," they said. "They now are going to have a greater field of opportunities."
While US government agencies remain the top targets for Iran's cyber weapons, all of the security professionals we interviewed told us that American businesses are more at risk.
"The NSA is really, really good at defensive operations, and so I don't see...the attacks going against government assets, I see them going after civilian assets," said Coffman, who served more than 35 years in the US Army and is now president of Forward Edge-AI, which provides AI and cybersecurity services to US government, defense, and critical infrastructure sectors.
"As [Iran] looks at this warfare, they are really focused on the global economy,” Coffman said. “We can remove their navy. We can remove their air power. We can attack them across all instruments of power, diplomatic, information, military, and economic. And they'll still have the ability to hack."
Iran historically used hacktivists or even cybercriminals as proxies for government-sponsored attacks. This was the case in 2023, when CyberAv3ngers, an Islamic Revolutionary Guard Corps (IRGC)-affiliated group, broke into multiple US water facilities.
Security researchers at Symantec and Carbon Black told The Register earlier this month that MuddyWater, an Iranian cyber crew believed to be part of the Iranian Ministry of Intelligence and Security (MOIS), has been burrowed deep into multiple US companies' networks – targeting a bank, a software firm, and an airport – since the beginning of February, with more activity in the days following the US and Israeli military strikes.
Another MOIS-linked crew, Handala, claimed to be behind the Stryker hack.
"This isn't necessarily new, but it is noteworthy, as it gives the government a layer of protection through deniability and helps establish a narrative that others outside the government support its actions," Forrester analyst Allie Mellen and author of the book Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, told The Register.
While the hacktivist playbook isn't new, "their ability to quickly and effectively scale during a near-total domestic internet blackout is," Qrypt CTO Denis Mandich said. Before co-founding the quantum-secure encryption company, Mandich spent two decades in the US intelligence community.
"Iran and its proxies are far more likely to inflict economic pain than to risk cleaner state-on-state exchanges," he added. "Their pre-positioned access will lead to more disruption and data destruction for a cheap, scalable way to have a disproportionate impact." ®
Source: The register