Law firms in the midst of large and publicly reported M&A deals, accounting firms during return season, and Facebook at just about any moment, should all assume that they are being targeted by hackers. However, the Department of Homeland Security’s (DHS) announcement that Iranian regime actors and proxies have been using “wiper” attacks adds a new indicator: geopolitical importance during politically sensitive times.
The director of the Cybersecurity and Infrastructure Security Agency (CISA) released a tweet late last week notifying the public that Iran is using spear phishing, password spraying, and credential stuffing in an attempt to disrupt American companies. Although no further details were provided, readers were encouraged to review the CISA best practices and act quickly if a breach is detected. As usual, this includes both internal protective measures and the reporting of any potential intrusions to the proper authorities.
In the past, Iran has used cyberwarfare to wipe clean the hard drives of entire companies, like major Saudi oil producers, as a form of political maneuvering. The tactics have been effective, leading to massive losses to companies that were forced to temporarily cease operations until their data could be recovered. In the present case, it is all but certain that Iran is returning to these tactics in response to the recent heightening of tensions with the United States. Reports have also surfaced that the United States has used similar offensive tactics abroad, making it likely that cyberattacks will only increase in frequency as a diplomatic weapon.
What can be taken from these developments is that we now have additional factors that can be used to predict who could be the subject of a cyberattack and when. In the case of the ongoing trade war with China, President Xi Jinping carefully selected responsive tariffs that targeted politically sensitive areas for the president. China’s strategy of choosing tariffs that would have its greatest effects on the constituencies who voted for the incumbent is obvious – it draws a direct line between the actions of voters’ chosen politicians and their own personal safety and income. The theory is that pressure placed on voters is then turned onto the politicians, who are forced into negotiations to stop the bleeding.
A similar tactic will almost certainly be used in selecting targets of cyberattacks in the future. It is no secret that certain U.S. states become hyper-relevant during election season, and can be used as pressure points by foreign actors. One example is the automotive industry, which sits in key swing states and has substantial financial backing. A targeted attack at companies within this industry could disrupt the day-to-day functioning for workers, and cause enough revenue losses for the executives to push lawmakers to act. Regardless of the ultimate political success of either the attack or subsequent lobbying, the result is the same for the companies targeted – significant lost profits, lost data, and expensive litigation.
All cyber risk analysts should be sure to incorporate both historical political strategy and current events into cyber defense planning. By understanding which actors have used targeted non-military attacks, such as China’s selective tariffs, it will be easier to predict which countries are most likely to employ this tactic. An analysis of industries with geopolitical, financial or other systemic importance further allows one to narrow down companies likely to fall under the umbrella of potential targets for foreign powers. Finally, both fluctuating current events and fixed election cycles are indicators of when those companies are most likely to be targeted. By incorporating these factors into planning now, companies can more accurately predict if they are a target and when, so that they do not find themselves scrambling to defend a foreign cyber intrusion after it has already begun.