WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
*This blog has been updated as of Jan 9, 2020.
Welcome to 2020. Have a good holiday? Back to work already? Good. Let’s get to it.
The world is currently dealing with the fallout from a U.S. drone strike that killed Islamic Revolutionary Guard Corps Major General Qasem Soleimani. The intention of this blog is not to go into any political, moral, or legal arguments. Rather than focus on the potentials of physical conflicts that may result from this, as cybersecurity experts, Digital Shadows (now ReliaQuest) will be focusing on the cyber-related fallout from the situation, and ways that they may or may not impact our clients. We will continue to update this blog as related events unfold, so be sure to check back.
ICYMI – CISO Rick Holland also produced a blog on this topic, offering some practical, measured suggestions on how you should respond in both the short term and critically in the long run:
In the early hours of Friday, January 3rd, 2020 (or late hours of Thursday, January 2nd depending on your time zone), the United States conducted a drone strike near Baghdad International Airport in Iraq, killing Iran’s Major General Qasem Soleimani. Soleimani was the commander of the Quds Force, one of the country’s most elite military forces, and a very prominent figure within the Islamic Republic. Since then, regime supporters in Iran have mourned Soleimani’s death, occurring at a time of already heightened tensions between the U.S. and Iran.
The strike was an escalation of activity in the region between the U.S. and Iran, after an American defense contractor was killed on December 27th, 2019, followed by retaliatory strikes by the U.S. against Kata’ib Hezbollah, an Iraqi Shia paramilitary group. These strikes led to large-scale protests outside the U.S. embassy in Baghdad, as protestors attempted to scale the walls of the compound and overrun security forces.
Following the Major General’s death, Iran’s Supreme Leader Ayatollah Ali Khamenei delivered statements via television broadcast and other media sources including social media, vowing revenge for Soleimani’s killing. Within the Ayatollah’s statement about General Soleimani, the supreme leader said there would be “severe revenge” for those responsible.
Heated rhetoric has flowed back and forth between Iran and the United States, posturing on both sides of the world. Protestors have flooded the streets to mourn Soleimani’s death, following the transportation of his body, culminating in his funeral on Tuesday January 6th in Tehran. Tuesday was also the end of the three days or mourning issued by the Ayatollah following Friday’s airstrike.
Update Jan 9: On Wednesday, January 8th, following the mourning period issued by the Ayatollah, Iran launched several surface-to-surface missiles at Iraqi military bases in the Ain al-Asad and Erbil regions, which house U.S. military personnel. Though the strikes resulted in no casualties, Ayatollah Khamenei described the attack as a “slap in the face” to the United States, but appeared to welcome a decrease in the hostilities mounting between the two countries. United States President Donald Trump echoed that sentiment in a statement he made later that day, instead stating the United States would be issuing economic sanctions against Iran.
On January 9th, several media outlets began reporting on “DUSTMAN”, a destructive malware variant attributed to Iran, which was determined to be responsible for an attack against the Bahrain Petroleum Company (Bapco). This attack took place on December 29th, eight days before the Soleimani airstrike, and reportedly did not have lasting effects and has no reported links to the ongoing situation in Iran. We chose to highlight this in an update to let readers know that we agree with this assessment, and also to remind watchers of the situation that digital forensics and incident response report take time to accurately investigate and produce, so immediate evidence of Iranian cyber-retaliation may take an extended period of time to be released to the public.
Since Tuesday, January 7th, we’ve observed low-level activity coming from Iranian supporters and hacktivists, including website defacements and Twitter storms.
Twitter activity: #HardRevenge
The HardRevenge hashtag began flooding social media site Twitter following the Ayatollah’s initial statement to the nation. While researchers were attempting to determine the origin of the hashtag to analyze its’ potential use by Iranian-state threat actors to spread propaganda and possibly disinformation, the answer could be found in the Arabic-language account for the Supreme Leader.
The hashtagged phrase included in this tweet translates directly to English as “Cruel Revenge”, or “Severe Revenge” according to Khamenei’s English-language account. And translated across the different languages which are spoken within that region of the world, like Urdu or Farsi, the use of “Hard Revenge” becomes clearer.
Across these various languages, the hashtag has been used at least 42,000 times within the last four days. Hacktivist operations tend to pick up on these types of hashtags, adopting them to rally around and use for coordination efforts. This leads me to…
Website Defacements:
We’ve detected several instances of website defacements, outside of the Federal Depository Library Program (FDLP), fdlp[.]gov, some of which using various translations of “#HardRevenge.”
Shield Iran
Shield Iran is a hacktivism group which has not been active since 2016, according to their Zone-H history. Zone-H is a website where threat actors can log their defacements, keeping track of their attacks over time. I’ve been able to confirm multiple sites defaced with this poster, all using the Persian-translated version of “Hard Revenge”. So far, the following defacements have been confirmed by Digital Shadows (now ReliaQuest):
Mrb3hz4d
The threat actor “Mrb3hz4d” has claimed responsibility for hundreds of website defacements over the last couple of days, all of which I won’t list here. The user has apparently been active since 2018, and according to their Zone-H history they’ve been specifically defacing United States-based websites since January 3rd.
Though specifics are light at this point, there have been two advisories distributed from the Department of Homeland Security (DHS), as well as the Cybersecurity and Infrastructure Security Agency (CISA).
The DHS Bulletin (as opposed to an “Elevated” or “Imminent Alert”) detailed the state of affairs in the aftermath of the killing of Soleimani, largely focusing on physical safety. However, there were mentions of previous Iranian cyber activity:
“Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.-based targets.”
“Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
I mention the fact that this is a DHS “Bulletin” as opposed to an “Alert” because they have very different meanings. A Bulletin “described current developments or general trends” and an alert “warns of a credible terrorism threat.” As of January 7th, the fact that no alerts had been issued indicated that there likely were not any major threats to cybersecurity infrastructure at this specific point in time.
CISA’s advisory included additional details related to prior Iranian threat activity, stating previous targets of “disruptive and destructive cyber operations” have included companies within the finance, energy, and telecommunications sectors, with specific focuses on industrial control systems and operational technology. Additionally, CISA warned of the potential for Intellectual property theft as well as disinformation campaigns promoting pro-Iranian sentiments.
As both the U.S. and Iranian governments have seemingly decreased the heated rhetoric toward each other, ongoing kinetic or physical attacks are likely to subside in the immediate term. However, a decrease in physical attacks could signal an increase in cyber-related incidents. This may be further spurred by the economic sanctions that U.S. President Donald Trump has issued against Iran. We’ve expanded our recommended prevention and mitigation measures based on the US-CERT notice issued on Monday.
To combat the threat of website defacement, we recommend securing your Content Management System (CMS) platform first. The CMS used to configure your website, whether that’s WordPress, Joomla, Drupal, etc.,should be secured with non-default credentials and two-factor authentication if possible.
Notice how I haven’t mentioned any nation-state associated activity? As of now, there has yet to be any publicly reported. That’s not to say that plans aren’t being formulated, infrastructure isn’t being set up, and implants developed; we just haven’t seen anything yet in the public domain.
That being said, there are a few things that can help companies defend against the tactics, techniques, and procedures that have been used previously by Iranian nation-state groups.
For more info, Rick Holland and I sat down to discuss on our latest episode of ShadowTalk. Catch the latest on your favorite podcast player or below:
For a full rundown and mapping of past Iranian nation-state activity to the Australian Signals Directorate Essential 8 framework, check out Richard Gold’s blog, Tradecraft styles of Iranian APT groups: using Mitre ATT&CK™ and the ASD Essential 8.