What an Iranian cyber-attack on the United States could mean?

Almost immediately after the United States killed Iran’s top military General Qasem Soleimani, the world turned to watch how the Middle Eastern country would retaliate.

The world took that to mean that another world war was imminent and that President Donald Trump’s justification that, he [the general] was “planning to blow up the U.S embassy in Iraq” would fall short this time. 

Cybersecurity fellow for the Carnegie Endowment for International Peace Jon Bateman told The Washington Post that “a cyberattack should be expected” in retaliation for Suleimani’s assassination.

Even the U.S ambassador to the United Nations, Kelly Craft justified this assassination to the U.N Security Council as an act of “self-defence”.

While Iran is not considered one of the world’s most aggressive cuber-threats, the concern is not insignificant. Previous cyber-attacks have been characterized by unpredictability and the U.S government is unaware of how its capabilities have developed in recent years.

So the question is what could be the consequences of this cyberwar between Iran and the United States?

The Muy Interesante team has spoken to cyber-security expert Deepak Daswani (The Hacker Threat, 2018) to analyze the situation and weigh the possible consequences. 

Q: Does Iran really pose a danger to cybersecurity?

Daswani: "In the wake of the latest news and the US assassination of General Soleimani, there is much speculation that Iran will use cyberspace as a battleground to launch its response. In this sense, Iran could pose a danger to cybersecurity, but like all other states with offensive capabilities in this area, which as we know are many. Over the past few years, we have learned about numerous attacks launched by nations against other countries, as well as against specific groups, companies, or even individuals who are dissidents of a regime. These are usually sophisticated attacks, which require planning, resources and the deployment of capabilities. Attacks that are launched on specific sectors and targets depending on the motivation they have, but obviously not on the whole world. Unlike the massive attack campaigns that cybercriminals launch in order to obtain maximum profitability with minimum investment, attacks that come from states always have very specific and targeted objectives.”

Q: Some voices on the Internet seem to assume that what has happened means that a Third World War is almost imminent which, unlike previous ones, would be cybernetic. What do think about this statement?

Daswani: "That this is nothing new to those of us who know this world. For many years now there have been numerous incidents of war between countries. One of the most talked-about for years in the media, security conferences, series and even movies were precisely between the United States and Iran. We talked about Stuxnet, the first attack on an Iranian nuclear plant in 2009, which came from the United States and Israel. In fact, this attack and others that followed it led to the appearance of an acronym that has been widely used since then and in recent years in the cybersecurity sector: APT (Advanced Persistent Threat). To define precisely the targeted attacks we referred to on specific targets, which have a very high level of sophistication and planning, and behind which in many cases there are governments.”

“With regard to the reference to a Third World War, the expert comments: "As we have seen throughout history, there have already been some incidents of cyberwar between countries. In addition, from Stuxnet, we could comment on Operation Aurora, the incidents between Estonia and Russia, China and the United States... Actually this scenario that constitutes the cyberspace, is a different context that has little to do with the physical world, where obviously when there is an attack by the army of a country, the whole world is aware. In this sense, the attacks that take place on the Internet are not so easily appreciated. In many cases, they are very complex and sophisticated attacks, which are perpetrated in a global way and in which the most difficult thing is to attribute the authorship of the attack to an army or a nation. In most cases, after investigation, it is possible to speculate who was behind an attack, but ultimately it is impossible to guarantee 100% the veracity of this assumption, so it is clear that those responsible in different countries generally do not recognize or assume their possible responsibility or involvement in an attack either. This is what makes cyberspace a very attractive framework for launching these attacks. On the other hand, it will always be less expensive to launch exploits through the net than to mobilize an army to a country.”

"What is a reality is that for a few years now there have been operations taking place in virtual space, and as we have previously stated, in practice it is very difficult to attribute the authorship of attacks to certainty. On the other hand, something that also happens today is that on many occasions, in traditional warlike conflicts, attacks in the physical world are preceded by attacks in cyberspace, which seek to attack the infrastructure that supports the defences of the nation or country to be attacked. We saw an example of this a few years ago in the conflict in Libya, where the United States raised the possibility of launching cyberattacks to temporarily cut off military communications for the defence of Libya so that they could not send missiles to NATO planes.

Q: It's been a few days and there doesn't seem to have been a significant response. Be that as it may, what would be the most genuine concerns and consequences of such an attack? Could it affect us?

Daswani: "An attack of this nature involves planning, resources and deployment of capabilities. In addition, these are attacks that generally consist of several stages and go through different phases. On the other hand, the fact that a generalised alert is created at a global level in order to be able to detect an offensive of these characteristics, also means that the attacker must maximise precautions in order not to be detected. In principle, as we could see, the objective of response from Iran would be the United States, for obvious reasons, so it is their critical infrastructure and their organizations that could be among the main targets. But anything can happen. Let's remember that beyond these incidents of cyber attacks between countries, we have seen cases in recent years of highly publicized incidents in which organizations and infrastructures of different countries have been compromised. Like the famous WannaCry, the most mediatic cyber-attack in history, or the Non-Petya that took place just a month later. It is also possible that other actors outside the conflict, such as other states or cyber-criminal organizations, could take advantage of the moment to launch a campaign of attacks, trying to point to Iran as the responsible country in order to generate confusion and avoid detection. The good or bad thing about attacks in cyberspace is that it is difficult to ultimately attribute actual authorship of an attack, although in many cases overtime one can almost certainly point to it.

Q: What preventive measures would you advise users or companies to take?

Daswani: "Well, maximize the precaution by following the safety guidelines that are always noted. But in particular be extremely cautious about opening emails, clicking links or opening attachments even in those emails that appear to come from known and trusted senders. In this type of targeted attack, the level of sophistication is such that the target's environment is known and it is possible to use highly credible decoys to impersonate trusted contacts through targeted phishing attacks in order to steal credentials and have the first point of access to the attacked organization. On the other hand, it is essential to always keep systems updated to prevent them from being compromised by known vulnerabilities. This must be a maxim. It is true that in the face of a zero-day vulnerability (not even known by the manufacturer) nobody can protect themselves and that sophisticated attacks such as the ones we are discussing could use this type of cyber-weapons, but we return to the fact that in practice, it makes sense that these would be used on specific targets and would not be "wasted" to launch a massive attack. In any case, even being aware that today it is not possible to pretend to avoid being compromised at some point, it is possible to mitigate the impact that a possible cyberattack may have. And this requires the implementation of these measures and many others, including training the organization's staff on cybersecurity awareness. The latter is essential to prevent workers from falling into the traps of cybercriminals. In addition, it is imperative that organizations that have not developed an incident response plan make the development of such a plan a priority. We must assume that at some point we may be victims of a cyber attack and that it is essential to be prepared for something to happen and to know how to react.