The day after the United States conducted a drone strike in Iraq that killed regional power player from Iran, General Qasem Soleimani, New York’s Department of Financial Services (DFS) published a press release warning of the cyber threat from Iranian retaliation.
The department, which supervises more than 4,000 companies that have a combined $6.2 Trillion in assets, has good reason to issue the alert. In what was one of the largest hacking attacks at the time, a group calling itself the “Cyber fighters of Izz Ad-Din Al Qassam” launched a prolonged series of attacks on American financial institutions- ‘Operation Ababil.’
Starting in 2012, the aggressors (which are widely held to have been working for Iran’s government) attacked up to 46 companies, including the Bank of America and J.P. Morgan Chase, as well as the Nasdaq stock exchange. The attack, of a distributed denial of service variation, costed “tens of millions of dollars” in damage over just 176 days.
Operation Ababil is believed to have been executed in retaliation for sanctions against Iran, and a cyber attack against their nuclear programme in 2010. Stuxnet, a jointly built American/Israeli cyberweapon in the form of a malicious computer worm, dealt a heavy blow to Iran’s nuclear capabilities- knocking more than a hundred thousand computers supporting it’s infrastructure offline.
After the Stuxnet experience, the Iranians greatly enhanced their cyber capabilities, under the guidance of General Qasem Soleimani, which makes it even more likely these operatives will be inspired to attack vigorously.
The Iranian Cyber Army (ICA) is credited with a number of large-scale attacks in recent history and is noted by many experts as being a “serious power” in cyber. Some posit that they are more advanced in this form of warfare than Russia or North Korea.
The ICA has been noted for pushing a massive power outage for 12 hours in 44 of 81 provinces of Turkey, holding 40 million people in 2015. In 2016, Iranian hackers also attempted to attack a dam in New York and was responsible for a cyberattack on the British Parliament lasting 12 hours that compromised around 90 email accounts of MPs. That last example of cyber warfare was just two years ago, June 2017.
As well as roiling the DFS, markets also reacted angrily and bulls took control of safe havens. Gold has risen to its highest price in 7 years. Oil, in anticipation of further Middle Eastern instability, jumped 4% minutes after the death of the General.
The full release from the Department of Financial Services is as seen below- titled “Cybersecurity Risk Alert”.
“There is currently a heightened risk of cyber attacks from hackers affiliated with the Iranian government. The Iranian government has vowed to retaliate against the United States for the death of Qassem Soleimani. Given Iranian capabilities and history, U.S. entities should prepare for the possibility of cyber attacks.
“It is particularly concerning that Iran has a history of launching cyber attacks against the U.S., and the financial services industry. For instance, in 2012 and 2013, Iranian-sponsored hackers launched denial of service attacks against several major U.S. banks. And the U.S. government recently advised in June 2019 it observed “a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” and that Iranian attackers were increasingly using highly destructive attacks that delete or encrypt data.
“DFS therefore strongly recommends that all regulated entities heighten their vigilance against cyber attacks. While currently there are no specific, credible, reports of new Iranian-sponsored cyber attacks in the past few days, all regulated entities should be prepared to respond quickly to any suspected cyber incidents. Iranian-sponsored hackers have historically relied primarily on common hacking tactics such as email phishing, credential stuffing, password spraying, and targeting unpatched devices.
“DFS therefore recommends that all regulated entities ensure that all vulnerabilities are patched/remediated (especially publicly disclosed vulnerabilities), ensure that employees are adequately to deal with phishing attacks, fully implement multi-factor authentication, review and update disaster recovery plans, and respond quickly to further alerts from the government or other reliable sources. It is particularly important to make sure that any alerts or incidents are responded to promptly even outside of regular business hours – Iranian hackers are known to prefer attacking over the weekends and at night precisely because they know that weekday staff may not be available to respond immediately.
“Regulated entities should also promptly notify DFS of any significant or noteworthy cyber attack. DFS’s cyber regulation requires notification “as promptly as possible but in no event later than 72 hours” after a material cybersecurity event. 23 NYCRR 500.17. And, in light of the current threat, we urge all regulated entities to notify DFS of any material incidents as soon as possible given the heightened risk, and certainly no later than the required 72 hours. This will enable DFS to disseminate information about new cyber attacks as quickly as possible.
“Any questions or comments regarding this alert should be directed to CyberAlert@dfs.ny.gov.”