Iran-based security threats are on the rise as state-sponsored groups and Iranian “hacktivists” use new types of malware to attack companies’ networks for espionage and financial gain, according to a new Accenture report.
The Cyber Threatscape Report 2018 is based on intelligence collected from and analyzed by the Accenture Security iDefense threat intelligence team between January and July. Last year Accenture acquired threat intelligence company iDefense from VeriSign.
This year’s report highlights five areas affecting companies’ security posture. These are:
- Growing Iranian threats
- Extended supply chain threats
- Critical infrastructure as a high-value target
- Financially motivated advanced persistent threats
- Miner malware creating a cryptocurrency surge
Spear-phishing remains a successful way for hackers targeting companies’ networks, as do “watering-hole type attacks,” said Josh Ray, global cyber defense lead for Accenture Security. These are attacks in which the attacker infects a number of websites that a particular organization or industry uses frequently. Eventually some members of the group become infected.
“We’re also seeing an uptick in cryptomining attacks and the malware being used to further political or strategic objectives,” Ray said.
Like other recent threat reports, Accenture says the use of miner malware has been one of the largest growth areas in cybercrime this year, and its growth will likely continue into 2019
Supply Chain Attacks
While the iDefense team has been monitoring security threats and threat actors for the past 20 years, Ray said two things jumped out at him from the new report.
“Number one, the Iran-based threat is getting a lot of attention based on the current climate,” he said. “And the thing that still remains a big issue from a network security standpoint is the supply chain threat.”
Supply chain attacks aren’t new — hackers have long used these third-party firms that underpin global organizations’ operations to infiltrate the targeted company’s network. But they are effective, Ray said. Because even if an organization has strong security standards and regulations in place, its suppliers that have access to its systems may not.
Criminals, nation-states, and hacktivists are all exploiting these supply chain vulnerabilities using tools like weaponized software updates, the report says. For example, Chinese and Russian groups have used malware campaigns to install infected software that collects financial information and companies’ data.
“As organizations start to harden their defenses, their business relationships may be the path of least resistance to access their networks,” Ray said.
Iran Advances Malware Tools
The report says Iran-based cyber espionage group Pipefish is becoming more active and advancing its tool sets. This group primarily targets energy-sector companies for surveillance and espionage objectives. Newly uncovered malware from Pipefish can execute remote commands and upload and download files from the victim’s system.
“And this doesn’t just go for Iran,” Ray said. “If you are talking about cyber espionage activity, if your company produces something or you are in that business ecosystem, you are going to be a target. It’s somebody’s day job to make sure they exploit you and remain a presence on your network.”
Additionally, new Iran-based ransomware indicates that Iranian actors are likely to target global organizations by using ransomware as well as cryptocurrency miners for financial gain.
Ray said it’s still too early to tell how U.S. sanctions against Iran will affect the security landscape.
“We are taking a wait-and-see attitude,” he said. “Historically Iranian threat actors, whether state or hacktivists, have really operated when they are under extreme pressure, so we’re not sure if it will be this phase of sanctions or potential follow-on sanctions that might spur them.”