Pro-Iran hackers appear to ramp up critical infrastructure cyberattacks
Tunvarat Pruksachat via Getty Images
By
Chris Teale
A group sympathetic to the regime claimed responsibility for a hack on the Los Angeles Metro, while the federal government is warning of ongoing vulnerabilities in some systems.
Cyberattacks against critical infrastructure from groups sympathetic to Iran appear to be ticking up, as the federal government warns hackers may look to exploit other vulnerabilities.
Last week, pro-Iranian hacking group Ababil of Minab claimed responsibility for a hack on the Los Angeles County Metropolitan Transportation Authority, known as LA Metro. The cyberattack it experienced last month forced the transit agency to shut down access to some of its network after its security team found unauthorized activity, although LA Metro said bus and rail service was unaffected.
The hacking group published claims on Telegram that they said showed them accessing LA Metro’s internal systems. Tim Miller, field chief technology officer for public sector at Dataminr, an artificial intelligence-backed platform that helps leaders track events, threats and risks in real time, said in a blog post that the group is an “emerging” one “with a limited public profile and little verifiable prior activity in threat intelligence reporting — making any definitive capability or intent assessment premature at this stage.”
“What can be cautiously observed from available evidence is that their explicit pro-Iran messaging and targeting of a major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting US critical infrastructure,” Miller continued.
Other experts tracking such events are similarly cautious about whether the group is responsible for the LA Metro hack. A spokesperson for the Multi-State Information Sharing and Analysis Center, which has warned previously of attacks on critical infrastructure from pro-Iran hackers, said in an email “there is no clear evidence that the claim is legitimate.”
Even though reports are unconfirmed, it makes for a worrying time for state and local governments, as well as critical infrastructure operators, who have been waiting with bated breath to see if groups sympathetic to Iran would launch attacks on these shores to retaliate against the ongoing war there.
"The threat of cyber-attack from Iran is real,” Andrew Chipman, governance, risk and compliance manager at cybersecurity company ProCircular, said in an email. “At this time, we expect to see that threat realized through proxies, hacktivists, and other allies to the Iranian regime. If Iran is able to build back their regime, we may see direct retaliation from Iran in the form of cyber-attacks against highly visible targets. History teaches us that hospitals and medical service providers are prime targets for the regime and its supporters. However, any critical infrastructure is a potential target.”
The alleged Iran-backed hack in Los Angeles came days before a warning from the Cybersecurity and Infrastructure Security Agency and a slew of other federal agencies earlier this month that various operational technology devices used in critical infrastructure, including programmable logic controllers, have been exploited by bad actors linked to Iran.
The agencies said those efforts, which have at times “resulted in operational disruption and financial loss,” have been designed to “cause disruptive effects within the United States.” CISA and its fellow agencies said the targets have included government services and facilities, water and wastewater systems and energy.
“Iran using cyberattacks to probe and impact American utilities should come as no surprise,” Lt. Gen. Ross Coffman (Ret.), president of artificial intelligence company Forward Edge-AI, said in an email. “Iran is using its long-range targeting tools to fight in every domain possible. We must continue to harden our cyber defenses and remind employees that they are the first line of defense. Our government's cyber professionals are the best in the world, so Iran is probing daily to find an exposed flank.”
Ababil of Minab warned that their “forthcoming actions will exact sterner pain,” although Miller said in the blog post that those pronouncements should be “treated as unverified rhetoric until corroborated by additional intelligence.” Chipman said some form of escalation could happen.
“Iran is not currently in a position to wage large scale cyber warfare against the United States or its allies, but hacktivists and proxy attackers are plentiful — expect attacks to come and prepare appropriately," he said.