Cyber-wrath of Iran for top general's assassination hasn't progressed beyond snooping and nicking logins... yet
Boring! Where are teh 1337 h4x? We want 1337 h4x
The Iranian cybercrime group that was expected to spearhead the rogue Middle East nation's revenge for the US assassination of General Qasem Soleimani has quite the arsenal at its digital fingertips.
Infosec researchers from Secureworks said the state-sponsored phacker crew - dubbed Cobalt Ulster - has "destructive and disruptive cyber capabilities" at its disposal which it targets against Turkey, Jordan and Iraq.
Yet after Soleimani was killed in an American drone strike in January, the hackers kept quiet instead of unleashing a visible campaign of retribution.
The Iranian general, a member of the country's Islamic Revolutionary Guard Corps, was credited by informed observers in the West with playing a key role in ensuring unstable regions of the Middle East acted largely in Iran's interests. He did this through running a formidable network of intelligence operatives and militias.
Instead, said Secureworks, they just kept on going with their existing campaigns of spying and hoovering up login credentials through spearphishing attacks and the like.
The infosec biz's Counter Threat Unit said of its findings: "In some cases, emails were sent with a malicious attachment to gain access, some email messages also contained a link to a compromised website, and there are confirmed cases where malicious documents were sent via a ZIP archive."
They added: "From a threat management and risk assessment perspective, we advise organisations not to conflate ongoing espionage operations with a retaliatory response. However, continually leveraging threat intelligence to assess and improve controls will help network defenders secure their environments against malicious activity regardless of intent."
In plain language, this means an uptick in nefarious activity on your network probably doesn't mean you are on the front line of Iran's revenge attacks against the West for bumping off their top espionage bloke. But never say never.
The attack methods mentioned by Secureworks in its blog post included some fairly standard phishing techniques, such as enabling macros embedded in Microsoft Office documents (a standard way of bypassing security controls). In turn that prompts the downloading of running of a PowerShell downloader that introduces whatever malware nasties the Iranians want to infect your networks with.
Usefully, at the end of its blog post Secureworks also published a list of URLs that it said had been associated with Iranian malware command-and-control systems. Sysadmins are advised to block these from access by their users. ®