The Cybersecurity and Infrastructure Security Agency (CISA) is sharing the following information with the cybersecurity community as a primer for assisting in the protection of our Nation’s critical infrastructure in light of the current tensions between the Islamic Republic of Iran and the United States and Iran’s historic use of cyber offensive activities to retaliate against perceived harm. [1]

Saudi Arabia's National Cybersecurity Authority (NCA) says that on Dec. 29, 2019, Iranian state-sponsored hackers infected the network of Bapco, Bahrain's national oil company, via the company's VPN servers with new data-wiping malware dubbed "Dustman" that impacted a portion of the oil company's computers. After discovering the infection, Saudi officials reportedly alerted local companies in its energy sector and urged them to secure their networks in preparation for impending attacks. While the attack on Bapco does not appear to be related to current U.S.-Iranian tensions, researchers point out it clearly illustrates Iran possesses advanced destructive cyber attack capabilities. According to analysis conducted by the NCA, the Dustman data-wiping malware appears to be a more advanced and upgraded version of the "ZeroCleare" wiper discovered in fall 2019, which had several code similarities with the original "Shamoon." NCA's analysis also revealed that Dustman is the third data wiping malware that has been linked to Iranian state-backed hackers and that it is specifically designed to delete data on infected systems. According to the NCA, Dustman, ZeroCleare, and Shamoon share the "EldoS RawDisk" main component but leverage different exploits and techniques to elevate system access to the administrator level. NCA officials also say that while most of the Dustman code is the same as ZeroCleare code, Dustman has two important differences: 1) Its destructive capability and required drivers and loader are delivered in a single executable rather than two files, and 2) it overwrites the volume rather than just wiping it by overwriting it with junk data. According to the NCA's report, it appears that attackers did not plan to deploy Dustman when they did but triggered the data-wiping process in an effort to hide forensic evidence after making several mistakes that would have revealed their presence on the network. [2]

Recommended Actions [1]:

  1. Adopt a state of heightened awareness. This includes minimizing coverage gaps in personnel availability, more consistently consuming relevant threat intelligence, and making sure emergency call trees are up to date.
  2. Increase organizational vigilance. Ensure security personnel are monitoring key internal security capabilities and that they know how to identify anomalous behavior. Flag any known Iranian indicators of compromise and tactics, techniques, and procedures (TTPs) for immediate response.
  3. Confirm reporting processes. Ensure personnel know how and when to report an incident. The well-being of an organization’s workforce and cyber infrastructure depends on awareness of threat activity. Consider reporting incidents to CISA to help serve as part of CISA’s early warning system (see Contact Information section below).
  4. Exercise organizational incident response plans. Ensure personnel are familiar with the key steps they need to take during an incident. Do they have the accesses they need? Do they know the processes? Are your various data sources logging as expected? Ensure personnel are positioned to act in a calm and unified manner.

Additional Technical Recommendations:

The following is a composite of actionable technical recommendations for IT professionals and providers to reduce their overall vulnerability. These recommendations are not exhaustive; rather they focus on the actions that will likely have the highest return on investment. In general, CISA recommends two courses of action in the face of potential threat from Iranian actors: 1) vulnerability mitigation and 2) incident preparation.

  1. Disable all unnecessary ports and protocols. Review network security device logs and determine whether to shut off unnecessary ports and protocols. Monitor common ports and protocols for command and control activity.
  2. Enhance monitoring of network and email traffic. Review network signatures and indicators for focused operations activities, monitor for new phishing themes and adjust email rules accordingly, and follow best practices of restricting attachments via email or other mechanisms.
  3. Patch externally facing equipment. Focus on patching critical and high vulnerabilities that allow for remote code execution or denial of service on externally facing equipment.
  4. Log and limit usage of PowerShell. Limit the usage of PowerShell to only users and accounts that need it, enable code signing of PowerShell scripts, and enable logging of all PowerShell commands.
  5. Ensure backups are up to date and stored in an easily retrievable location that is air-gapped from the organizational network.

FireEye Threat Intelligence Analyst Comment

FireEye Intelligence is aware of reports of DUSTMAN deployments at separate entities in Saudi Arabia and Bahrain. While the DUSTMAN wiper has notable differences from the ZEROCLEAR wiper, the dropper has similarities to the dropper component used with ZEROCLEAR. For instance, both droppers use the same EldoS RawDisk driver license key, contain references to the same strings, and perform the same hard disk surveying using deviceIOControl. While we have not attributed the activity to a specific APT group, we suspected both wipers have been developed by the same Iranian threat actor. The activity is consistent with Iranian disruptive and digitally destructive attacks against private sector entities in the energy and financial services sectors in the U.S. and the Cooperation Council for the Arab States of the Gulf (GCC). Media on-target.

MORE INFORMATION ON IRANIAN HACKING HISTORY AND FURTHER TECHNICAL DETAILS

[1] CISA Insights: Increased Geopolitical Tensions and Threats

[2] Source ZDNet