In May 2020, CISO MAG reported about Project Signal, an Iranian state-sponsored ransomware operation. State-sponsored actors from Iran have often been linked to various cyberespionage campaigns targeting organizations globally. A recent report by Sky News exposed a trove of documents that appear to be from a branch of the Islamic Revolutionary Guard Corps (IRGC), Intelligence Group 13. These findings show a coordinated attempt to collect information on the vulnerabilities of second-tier targets, including those that can capsize merchant vessels, the remote control of electrical controllers used in building management systems, and the ability to tamper with fuel pumps triggering spills or explosions.
Since 2019, hundreds of U.S. companies and local government agencies have fallen victim to cyberattacks. Now, leaked documents outline Iran’s intentions to gather information meant to attack Building Management Systems (BMSs) that are notoriously overlooked when setting up cybersecurity programs. BMSs are easy targets for two reasons. One, reliance on connecting building devices via the internet, even connecting to a remote facility that may operate vulnerable devices. Second, they are attractive to attackers since buildings rely on contractors to maintain facilities that may not follow proper cybersecurity practices, such as authentication and secure access.
Why second-tier targets are valuable
“Many of these second-tier targets seem irrelevant at first,” said Ilan Barda, Founder and CEO of Radiflow, a cybersecurity company that focuses on securing OT facilities. “What makes them so valuable is their potential to be used as a gateway to building systems. Once inside, a hacker can manipulate air circulation units, elevators, and any other critical infrastructure to carry out physical attacks.”
Another concern in the Iranian cyber report is their intention to find vulnerabilities in specific satellite communication (SATCOM) gateways. In some countries, poorly protected wireless networks can be exploited by attackers, allowing them to access vulnerable Satcom terminals on the network. While some of the reports focused on hypothetical attacks, this piece showcased their potential for data collection and potential coordinated attacks.
A few questions to be answered
Some questions remain regarding the intention of the Iranian military hacking group. Upon reviewing the report, Michael Langer, a renowned cyberwarfare expert and CPO of Radiflow, believes that this report may only specify their intent to pursue cyber terror further. “Iran is looking to expand the outreach and objects of their cyber-attacks,” said Langer. “Their history of disruptive cyber offensives on Saudi Arabian oil refineries and Israeli water management facilities are to be taken seriously. The Iranians mapping of BMS vulnerabilities may indicate a shift to target more easily exploitable sites. It’s time to think differently.”
How can organizations defend themselves?
While these attacks are causing CISO and cybersecurity teams to take notice, the tools most companies need to secure their systems already exist. “Familiar basic-hygiene practices are common tools that a growing number of the population recognize,” said Barda. “Segmentation, password validation, two-factor authentication, and cyberthreat detection mechanisms can act as a deterrence for attackers.”
Many companies have seen recent headlines surrounding cyberattacks without realizing they may be next. However, simple precautions may be the difference between another day at the office or a cyberattack that deploys ransomware or exfiltration of sensitive data.
Radiflow is an OT Cybersecurity company that has unique tools to protect and manage digital assets for the long term. They work directly with Managed Security Service Providers to oversee the discovery and management of all relevant data security points.
