Warning: Trump Terrorist Designation May Prompt Iranian Cyber Attacks

The Trump Administration’s designation of Iran’s Islamic Revolutionary Guard Corps as a foreign terrorist organization could prompt retaliatory cyber attacks from state-sponsored actors from the Islamic Republic, security researchers from Recorded Future warn.

U.S. President Donald Trump’s move on Monday to designate Iran’s Islamic Revolutionary Guard Corps (IRGC) a foreign terrorist organization–triggering economic sanctions and travel restrictions on roughly 100,000 people inside Iran–could spur a reaction from the Islamic State, which has often responded to heated political actions or rhetoric with cyber offense, researchers at Recorded Future’s Insikt Group said this week.

“In response to this IRGC terrorist label, and based on historical precedent, it’s logical to anticipate Iran quickly retaliating via cyberattacks,” according to a blog post by Insikt, which provides threat research. “Financial services, energy companies and military contractors are the most likely targets of Iranian attacks.”

A global business network at risk

The IRGC is Iran’s elite military guard that protects the country’s Islamic Republic system, including the country’s ballistic and nuclear missiles program. Critics of Trump’s unprecedented move have said it’s merely symbolic–as there already are stiff penalties in place for anyone who deals with the IRGC. However, the slap could draw ire from Iran and spur backlash against the U.S. and its partners in the region and beyond.

“The IRGC is comprised of roughly 100,000 people and has global business dealings with numerous organizations and companies outside of Iran,” Levi Gundert, a former Secret Service agent and now Recorded Future’s vice president of Intelligence and Risk, told Security Ledger. “President Trump’s new designation is significant because you’re now talking about sanctioning everyone that does business with the IRGC. That’s a huge perceived provocation, and given the initial comments coming out of the IRGC, they will likely make a full attempt to respond.”

Destructive Shamoon Malware Attacks Italian Oil Services Firm

The Islamic Revolutionary Guard Corps of Iran, which President Trump has designated a terrorist organization. (Source: Reuters)

Previous warnings premature

Recorded Future also warned of cyber retaliation when Trump withdrew from the Iran nuclear deal a little less than a year ago. Gundert acknowledged that thus far, researchers have not seen “major reactionary campaigns in the wake of that decision. However, “there have certainly been ongoing cyber campaigns from APT33,” the state-sponsored group associated with Iran.

Researchers believe that the only reason the United States has dodged a bullet over the nuclear deal is because the European Union basically covered for Trump’s decision by going “out of its way to try to uphold the original Iran nuclear deal,” Gundert said.

Iran Taps Chafer APT Group amid Civil Aviation Crisis

“The EU’s actions to blunt President Trump’s exit of the deal has seemingly motivated Iran to not move forward with more significant, destructive campaigns,” he told us.

Will history repeat itself?

There is a precedent for retaliatory and reactionary attacks from Iranian state-sponsored actors due to political decisions that went unfavorably against the Islamic State. In 2012, for example, denial-of-service (DOS) attacks on America’s largest financial services companies were seen as an immediate response to the sanctions in a campaign dubbed Operation Ababil, according to Insikt Group.

The group also cited a scenario a year later in the fall of 2013 when Sheldon Adelson, the CEO of Sands Corporation, publicly suggested that the United States should attack Iran with an atomic weapon. In February 2014 in an apparent reaction, Iran launched a destructive attack on the Sands Las Vegas Corporation that caused significant network damage.

Gundert said this type of retaliatory cyber strategy is not one shared by all formidable nation states known for mounting cyber-offensive attacks; from what researchers have observed, it’s characteristic of Iran and also North Korea.

“Iran is certainly very capable, and over the past decade, they’ve worked to improve their cyber capabilities to an extent that it would be a mistake to underestimate them,” he said. “The primary difference between Iran and Russia and China is that we haven’t seen reactionary attacks out of China and Russia. By contrast, Iran has shown a proclivity–like North Korea–for destructive attacks to send a response.

Threat stretches across industries

The possibility of some kind of Iranian reaction–cyber or otherwise–to Trump’s latest hit against Iran seems likely, if the words of Iran President Hassan Rouhani and other leaders are any indication.

Rouhani called the United States, the “leader of world terrorism” in a broadcast live on state television, while the IRGC’s commander, Mohammad Ali Jafari threatened U.S. Army and security forces in the West Asia region, saying they would not enjoy its current peaceful state if the United States made such a move, according to The Wall Street Journal.

Report: Financial industry in crosshairs of credential-stuffing botnets

Gundert advised American and Middle East military contractors and companies in the financial services and energy sectors to be aware of the risk of cyber attack, particularly of types “that try to destroy the availability of information–malware, ransomware and DDoS attacks,” which are most likely to cause material impact to business operations, he said.

“For instance, the DDoS attack against Sheldon Adelson’s Sands Corp., following his comments advocating for the bombing of Iran, is a perfect example of the type of reactive attack you can expect from Iran,” Gundert said.

Specifically, Iranian-sponsored attacks have historically used spearphishing and webshells as the primary mechanisms for establishing unauthorized access, according to Insikt.