Middle East war increases likelihood of cyber attacks around the world

While Iran has been launching missile and drone attacks against various countries since the weekend, CSOs and infosec leaders shouldn’t discount the probability that Iranian threat actors and sympathizers won’t launch cyber attacks as well — and not just against targets in the Middle East.

Cisco Systems’ Talos threat intelligence service said Monday it is seeing sympathetic groups like hacktivists behind defacement and denial of service campaigns in support of Iran. It also believes cyber criminals will likely take advantage of the war to try and increase their scope of infections through the use of lures and other social engineering avenues.

For example, researchers CloudSEK uncovered a malicious SMS spoofing campaign spreading a fake version of Israel’s “Red Alert” Android emergency app. This app lets residents know about missile and other attacks. People looking for the latest warnings may be tricked into downloading the fake version by clicking on a text message with a link. The malicious version can bypass multifactor authentication to steal SMS, contacts, and location data.

Researchers at Recorded Future said pro-Iran hacktivist groups — including Handala Hack Team, Cyber Islamic Resistance, RipperSec, APT IRAN, and Cyber Fattah — have announced co-ordinated cyber operations against Israeli and regional targets.

The fact that U.S. and Israel air attacks have impaired Iran’s internet connectivity shouldn’t be taken as good news. Recorded Future notes that several pro-Iran threat actors operate outside Iran or on distributed infrastructure, so they are fully operational.

Who might be targeted? Private sector organizations affiliated with any country that is participating or endorsing attacks on Iran including defense contractors, insurance companies, banks and financial institutions and critical infrastructure providers.

Gene Moody, field CTO at Action1 said that while current activity is described as opportunistic, Iranian state aligned with proxy groups have historically moved quickly when geopolitical tensions rise. In practice that means they will be scanning the internet at scale for exposed services and weaponizing recently disclosed vulnerabilities within days or hours. They often rely on known flaws in VPNs, edge devices, firewalls, email gateways, and remote access platforms rather than novel zero days.

For defensive security teams that means seeing increased background noise, more aggressive scanning and a higher probability of exploitation attempts against perimeter systems.

“Expect phishing tied to geopolitical themes, credential harvesting, and possible disruptive actions such as data theft, ransomware, or destructive wiper activity if escalation occurs,” Moody said.

Cisco says infosec leaders should be prepared for cyber attacks. “Since this activity appears to be regionally focused, making sure enterprises are aware of any impacts to partners and third-party suppliers in the region will be paramount. Additional inspection or controls may be warranted to insulate potential larger impacts to the wider organization.”

Being prepared, says Cisco, includes warning employees against clicking on unsolicited links related to the Middle East conflict, whether news or humanitarian. These are often infostealers or backdoors in disguise and meant to take advantage of emotions. Consider increasing the frequency of phishing simulations that use current geopolitical lures to keep staff vigilant against social engineering.

Identify any vendors, service providers, or developers located in or heavily connected to the Middle East conflict zone, Cisco adds. Enforce strict MFA for all third-party access and conduct “zero-trust” audits on any administrative tools that have deep access to your environment.

Finally, mitigate nuisance attacks and defacements by using a Content Delivery Network (CDN) with robust DDoS mitigation and ensure all web content management systems are fully patched.

“As always,” Cisco adds, “ensure all software has been updated to the latest versions to minimize the attack surface and ensure you have a robust patching process. Many updated software versions have improvements in security and visibility capabilities that can help in cyber defense.”

UPDATE: Just discovered this report that pro-Russian threat actors have formed a loose coalition with Iran-nexus hacking groups.