Are Iranian hackers going after U.S. banks again?
The threat of Iranian cyberattacks on banks and other critical infrastructure in the U.S. has increased amid escalating bilateral tensions, government agencies and cybersecurity firms say.
For bankers, this may stir memories of the fall of 2012, when Iranian hacker groups ran a series of successful distributed denial of service attacks against U.S. banks. (In a DDoS attack, hackers flood a web server with fake or malicious traffic in an attempt to slow down or completely shut down that server.) Banks responded by investing in content delivery networks from vendors like Akamai and Cloudflare, eventually getting the problem under control.
This time, security experts say, Iranian hackers are infiltrating banks, government agencies and energy companies and lurking, gaining intelligence about U.S. infrastructure for future attacks.
The government is "aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies," Christopher Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, said in a statement last week.
These attackers are “increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money,” Krebs said. “These efforts are often enabled through common tactics like spearphishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Krebs advised shoring up basic defenses by using multifactor authentication, among a host of other security tips.
Shortly afterward, two threat intelligence companies, CrowdStrike and FireEye, reported seeing Iranian government-connected hacking groups step up their phishing attacks on U.S. targets in retaliation for recent U.S. government actions against Iran, including a cyberattack on an Iranian government-sponsored militia group.
“They’re usually reliable on this. Their forensics are good, so if they say it, I would buy it,” said Bruce Schneier, chief technology officer at IBM Resilient.
Are banks being targeted?
The banking industry’s cybersecurity threat-sharing group, the Financial Services Information Sharing and Analysis Center, declined a request for an interview about the potentially heightened threat for banks. It offered a statement that said, “In light of recent public announcements, the FS-ISAC is actively monitoring for threats.”
But one chief information security officer at a bank, who spoke on condition of anonymity, said he knows of banks that are noticing increased traffic from Iran.
“My institution tends to see a steady amount of automated scanning from the Iranian IP space anyway so for us, it’s nothing abnormal,” he said. “While the increased scanning some banks are seeing could be meant to send a message in light of the geopolitical tensions, scanning in and of itself is not a big concern. That’s life on the internet. What worries me more is what we don’t see. We know some Iranian groups have significant cyber capabilities and they won’t be the ones noisily scanning. In fact, that type of activity won’t originate from Iranian IP space for obvious reasons.”
Benjamin Read, senior manager of cyberespionage analysis at FireEye, said that during the week of June 11, he found that banks, along with other private-sector firms and government agencies, were targeted with an unusually large volume of spearphishing attacks coming from Iran. FireEye analysts didn’t see this activity the following week. “But that doesn't mean it's over,” Read said.
FireEye has devices that intercept spearphishing attacks, scan incoming emails to block them, and track callouts to suspicious domains.
“We also do incident response where we go in and kick the bad guys out and uncover everything they've done,” Read said.
FireEye has not seen any DDoS attacks coming from Iran against the financial sector lately.
For Read, the unusual thing about the recent spearphishing attacks on banks is that they’re being conducted by a group FireEye calls APT33.
“This is a group that has undertaken disruptive attacks before, as recently as December 2018,” he said. “It does matter who is spearphishing you.”
FireEye has been tracking APT33 for almost six years.
“The majority of what they do is intelligence gathering,” Read said. “They've targeted oil and natural gas companies in the Gulf and they've targeted U.S. defense contractors trying to get military secrets.”
Analysts at Opora, a cybersecurity adversary threat management company based in Israel, have seen an increase over the last two months in malware attacks created by Iranian actors targeting U.S. banks.
“The hackers that we see could fit the regular cybercrime profile, yet they seem to be nation-state affiliated,” said Noam Jolles, chief intelligence officer at Opora. “A few of this group’s actors were identified as past computer science students at Tehran University and employees of Iran’s telecom companies.”
As part of its cybersecurity coverage for the financial sector, Opora monitors name servers used by adversaries, including Iranian cybercriminals.
“We see a growing presence of these servers on campaigns targeting U.S. banks as well as a growing number of phishing domains utilizing U.S. banks’ names using these name servers,” Jolles said.
Most of this activity is phishing campaigns targeting U.S. banks of all sizes, she said.
Protecting the institution
To guard themselves against spearphishing, banks need to educate their employees against clicking on links in emails and install anti-phishing software. But there’s a higher level of diligence required in this case, according to Read.
“You're never going to stop everybody, especially in a larger institution, from falling for spearphishing emails,” Read said. “So it's also important to be prepared to detect them after they compromise somebody and to be able to differentiate between Jim from Accounting clicked on another spearphish and got something that might steal his banking passwords versus letting in a nation-state threat that is going to move laterally and we now need to do a more full response than just reimaging Jim’s system. Being able to prioritize the different types of intrusions that can happen is important.”
Adam Meyers, vice president of intelligence at CrowdStrike, said his company does not have any evidence that U.S. banks are being targeted by Iranian hackers.
“But we do know that at least one Iranian adversary we track, Refined Kitten, has changed tactics and has likely begun targeting the government and financial sectors in the U.S.,” he said.
Refined Kitten is another name for the group FireEye analysts call APT33.
Meyers said that the group’s phishing campaigns include an email about a job opportunity at the Council for Economic Advisors in the Executive Office of the President.
David Kennedy, a former threat intelligence analyst in the Marine Corps and at the National Security Agency and current CEO of the cybersecurity firm TrustedSec, said his company has also seen an increase in cyberattacks Iranian hackers conduct in the financial industry.
"We’re continuing to see a much more aggressive approach that includes the financial sector and core infrastructure,” Kennedy said. “The financial institutions are backbones of the U.S. economy and government and money flowing in and out of the country. Those are all important pieces Iran looks at in how to inflict maximum damage.”
Hackers in Iran aim for longer-term infiltration of financial institutions so they’re ready to cause outages in the event of a military conflict, he said.
“That’s a concern for us and should be a concern for the U.S. financial system,” Kennedy said.
TrustedSec analysts said the attacks go beyond phishing campaigns and denial-of-service attacks.
“They’re also directly hacking into the company websites for the purpose of defacement, in an attempt to hurt brand reputation,” Kennedy said.
His analysts have responded to some ransomware attacks coming from Iran. Community banks are more susceptible because they don’t have all the right protections in place, said Alex Hamerstone, governance, risk management and compliance practice lead at TrustedSec.
“One thing we see consistently with a lot of these attacks is they take advantage of the fact that a lot of basic cyberhygiene is not being done” in smaller IT departments, said Hamerstone. “It’s going to require continued and increased vigilance.”
Read offered a note of hope to security people.
The attackers "are not wizards,” he said. “If an IT department is set up correctly, you can defend yourselves against the stuff they do. So it's not hopeless.”