{"id":3661,"date":"2025-06-24T07:02:00","date_gmt":"2025-06-24T07:02:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3661"},"modified":"2025-06-24T07:02:00","modified_gmt":"2025-06-24T07:02:00","slug":"iranian-cyber-threats-overhyped-but-cisos-cant-afford-to-let-down-their-guard","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3661","title":{"rendered":"Iranian cyber threats overhyped, but CISOs can\u2019t afford to let down their guard"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Over the past ten days, real-world military attacks have fostered fears that Iranian threat actors would launch cyberattacks on US organizations as part of a hybrid cyber-kinetic retaliation to US intervention in geopolitical tensions between Israel and Iran.<\/p>\n

Among the steps that some experts say provoked Iran to respond with cyber measures is the Trump administration\u2019s backing of Israel\u2019s surprise coordinated airstrike<\/a> against Iran that targeted, among other things, the country\u2019s nuclear facilities, as well as the administration\u2019s launch this past weekend<\/a> of bombing strikes on three Iranian nuclear facilities.<\/p>\n

Iran responded to the US assault by firing missiles<\/a> at a US airbase in Qatar, the largest American military base in the Middle East, which officials said caused no casualties or damage. Following this attack, Donald Trump announced a cease-fire<\/a> between Israel and Iran.<\/p>\n

The military action led some threat intelligence experts<\/a> and the US Department of Homeland Security<\/a> to warn of possible cyberattacks by hacktivists aligned with or sympathetic to Iran, as well as cyberattacks directed by the Iranian government itself.<\/p>\n

However, many cyber threat intel analysts say the concerns over Iran launching cyberattacks against the US were overblown in the first place, given that Iran has a poor track record as a cyber adversary and will likely, for the foreseeable future, restrict its attacks to rudimentary attacks on low-hanging fruit.<\/p>\n

\u201cThe truth is we\u2019re seeing Iranian actors struggle to make any tangible impact on anything they\u2019re getting involved in as things escalate on the kinetic side,\u201d Tom Hegel<\/a>, distinguished threat researcher at SentinelOne, tells CSO. \u201cThe reality is they might get lucky finding an opportunistic target that gives them likely a bit of attention.\u201d<\/p>\n

Still, the cease-fire notwithstanding, in the future, shadowy and ever-morphing Iran-aligned hacktivist groups and Iranian government actors might be able to create operational headaches and reputational damage, and CISOs would do well to prepare their organizations for these possible outcomes.<\/p>\n

Iran\u2019s spotty track record of ICS, wiper attacks<\/h2>\n

In December 2023, the Iranian Government\u2019s Islamic Revolutionary Guard Corps (IRGC) began using<\/a> the persona \u201cCyberAv3ngers\u201d to actively target Israeli-made Unitronics Vision Series programmable logic controllers (PLCs) and human machine interfaces (HMIs), which are mainly used in water and wastewater systems.<\/p>\n

These exploitations elevated Iran as a cyber threat actor to the top ranks of national cybersecurity concerns among Western nations, laying the groundwork for the current heightened fears of an Iranian cyberattack.<\/p>\n

But, Hegel says, those PLCs that were sloppily exposed on the internet were a fluke for Iran. \u201cThat was low-hanging fruit for them. They got lucky to find it,\u201d he says.<\/p>\n

The only thing Iran did with access to those PLCs was to leave a defacement image stating, \u201cYou have been hacked, down with Israel. Every equipment \u2018made in Israel\u2019 is CyberAv3ngers legal target.\u201d\u00a0<\/p>\n

\u201cThey sometimes target industrial control systems, but they\u2019re not well-read on how those things work,\u201d another senior cyber threat intelligence analyst, who asked not to be named, tells CSO. \u201cWhen we have seen them get access, they\u2019ve not used it effectively. They\u2019re just not very good at that.\u201d<\/p>\n

Aside from this high-profile incident, Iranian threat actors are best known for using wipers, often in the form of fake ransomware. \u201cThey do have the capabilities to deploy impactful pieces of malware, wipers, ransomware, things of that sort,\u201d the threat intel analyst says.<\/p>\n

But even Iran\u2019s wipers and fake ransomware are not major threats. \u201cTypically, their wipers are fairly efficient, but information can be recovered,\u201d the analyst says. \u201cRansomware they will deploy is almost always not ransomware; it\u2019s a wiper, and they\u2019ll try to extort a little bit of money from you.\u201d<\/p>\n

DDoS attacks are the biggest threat<\/h2>\n

Perhaps Iran\u2019s most prominent cyber tool is distributed denial of service (DDoS)<\/a>, usually in conjunction with so-called hacktivist groups.<\/p>\n

Hours after the US strikes against Iran\u2019s nuclear sites, the Center for Internet Security (CIS) and other watchdogs confirmed<\/a> that an Iranian-aligned hacktivist group called \u201c313 Team\u201d claimed responsibility for a DDoS attack on Trump\u2019s Truth Social platform, which temporarily went dark.<\/p>\n

\u201cThere are 20 or 30 new Iranian groups that have emerged over the last week or so,\u201d says Alexis Rapin<\/a>, strategic threat intelligence analyst at ESET. \u201cIt\u2019s hard to keep track. Many of these groups have been shut down by Telegram in recent days. So, they basically form new ones, new channels, new coalitions of groups.\u201d<\/p>\n

Following the DHS warning of cyber threats tied to US involvement in the Iran conflict, Radware observed an 800% surge in claimed DDoS attacks against US sectors.<\/p>\n

\u201cIt\u2019s an easy attack to pull off,\u201d Pascal Geenens<\/a>, director of threat Intelligence for Radware, tells CSO. \u201cYou just need infrastructure, and you just point it in the right way and you go at it and you almost always have some kind of result, whether it\u2019s a big result or just a few seconds of downtime, enough to claim a report and to say, \u2018Look, we had some impact.\u2019\u201d<\/p>\n

\u201cA lot of the outward communication we see coming from Iran is primarily from fake hacktivist personas, hacker groups, all on Telegram,\u201d SentinelOne\u2019s Hegel says. \u201cWe\u2019re tracking dozens since the initial conflict kicked off last. They\u2019re all doing the same thing, going for easy targets; it\u2019s very opportunistic. DDoSing is almost child\u2019s play nowadays.\u201d<\/p>\n

How CISOs could prepare for Iranian attacks<\/h2>\n

Even if the immediate threat of Iranian cyberattacks has subsided, CISOs should still consider strategies to help defend against them given the volatile nature of military conflicts in the Middle East.<\/p>\n

\u201cEven if we don\u2019t see widespread cyberattacks, it\u2019s never a bad thing to be prepared for them,\u201d Pete Nicoletti<\/a>, global CISO of Americas for Check Point, tells CSO.<\/p>\n

Chief among Nicoletti\u2019s list of things to do is \u201cgo ahead and set up geo-blocking,\u201d he says. \u201cYou can easily get IP addresses and load them into your firewalls. Knock those countries that you do not have business with. Just drop them. They will be VPN\u2019ing into other IP addresses and hacking from those, but take the ankle biters off the list.\u201d<\/p>\n

Gaming out what an Iranian attack might look like can also help. \u201cReview your incident response plan and go ahead and knock out a desktop exercise focused on a nation-state actor attack,\u201d Nicoletti says. \u201cTake historical data and say, \u2018Okay, we\u2019ve seen this, this, and this.\u2019 Put it into your nation-state attack desktop exercise.\u201d<\/p>\n

Preparing for a reputational fallout<\/a> from a potential Iran-related attack is also helpful, particularly if the threat actor starts bragging about it. \u201cThe most important thing for CISOs is to have a statement ready if that time comes,\u201d Radware\u2019s Geenens says. \u201cYou don\u2019t want to start thinking about what to do whenever you become the target of a fake claim, and it goes into the media, because your company can become a headline at any time because of those claims.\u201d<\/p>\n

Most importantly, CISOs should make sure they have adequate DDoS protection. \u201cCyber warfare is so asymmetric; it doesn\u2019t take much money and expertise, and you can literally buy it on the dark web,\u201d Check Point\u2019s Nicoletti says. \u201cI can go to the dark web right now, and for $500, I can get a company that doesn\u2019t have adequate DDoS protection. I can nuke them off the map for the next week for just $500.\u201d<\/p>\n

See also:<\/strong><\/p>\n

How to create an effective incident response plan<\/a><\/p>\n

4 tabletop exercises every security team should run<\/a><\/p>\n

How to create an effective crisis communication plan<\/a><\/p>\n

How to conduct an effective post-incident review<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Over the past ten days, real-world military attacks have fostered fears that Iranian threat actors would launch cyberattacks on US organizations as part of a hybrid cyber-kinetic retaliation to US intervention in geopolitical tensions between Israel and Iran. Among the steps that some experts say provoked Iran to respond with cyber measures is the Trump […]<\/p>\n","protected":false},"author":0,"featured_media":3662,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3661","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3661"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3661"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3661\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3662"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3661"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3661"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3661"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}