Christopher Krebs, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) issued a warning last week that Iranian threat actors are preparing malware attacks against U.S. businesses and government agencies.
In a statement issued on Saturday, June 22, Krebs said:
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
Krebs’ alert was amplified with detail from security provider Recorded Future’s Insikt research arm, which has been tracking the hacking group APT33’s (aka Elfin, reportedly linked to the Iranian government) infrastructure building and targeting activity. APT33 has been engaged in cyberespionage since 2013, Insikt said, mostly zeroing in on installations in the Middle East. But the cyber spies have also hit businesses in the U.S., Europe and South Korea in a variety of industrial sectors, the researchers said.
“Our research found that APT33, or a closely aligned threat actor, continues to conduct and prepare for widespread cyber espionage activity, with over 1,200 domains used since March 28, 2019 and with a strong emphasis on using commodity malware,” Insikt said in a blog post. “Commodity malware is an attractive option for nation-state threat actors who wish to conduct computer network operations at scale and hide in plain sight among the noise of other threat actor activities, thus hindering attribution efforts,” the researchers said.
In an interview with Ars Technica, Krebs said that the U.S. must “step up our game” to match the spike in activity and the potential for destructive campaigns. "Over the course of the last couple of weeks, and in particular last week I'd say, became specifically directed," he said. U.S. intelligence and cybersecurity vendors reported a "significant leap in spear-phishing attacks connected to infrastructure associated with APT33 against targets in the U.S. over the past week," Krebs told Ars. "So you combine that increase in activity with a historic intentionality and demonstrated ability, after previous destructive campaigns, and it was time to make a statement and say, 'Hey look, everybody, this is heating up. And politically it is also heating up... We need to step up our game.'"
At this point, no malicious payloads have been tied to APT33 but Krebs labeled the sharp rise in malware activities as a “dramatic increase,” that previously has led to data deletion and wiper attacks or ransomware. As such, protecting federal, state and local government agencies is a top priority, he said.
"That's where I think we've got a lot to do—work in the federal government, to state, local governments, and work in Congress," Krebs told Ars. "What are we going to do here to make it harder for the bad guys to be successful? How are we going to shore up these systems, and do it in a way that is reasonable to the people that actually own the network to do it with their own resources with help from the federal government? So, we are engaging at the state and local level with governments."