US drone strike kills Iran’s Quds Force commander.
Iran promised retaliation after a US airstrike in the outskirts of Baghdad early today killed Iranian Major General Qassem Soleimani, commander of the Islamic Revolutionary Guard's Quds Force. One of Soleimani's principal collaborators, Iraqi militia commander Abu Mahdi al-Muhandis, was also killed. Reuters cites US sources as saying the strike was intended to disrupt further plans by militia aligned with Iran to attack US targets, including the US embassy in Iraq. Iranian operations against US assets and interests have long been asymmetric and are likely to remain so.
General Soleimani was widely regarded as an effective leader who traveled widely and worked intelligently to build Iranian influence in the Arab world. He had overtly supported Iraqi Shi’ite militia, which accounts for his presence in the vicinity of Baghdad. The Atlantic quotes the US Defense Department as stating that "General Soleimani was actively developing plans to attack American diplomats and service members in Iraq and throughout the region." General Soleimani had for some time traveled with impunity throughout the region, as the New York Times notes.
Observers expect an increase in cyber conflict in the wake of Soleimani's death, and the Telegraph outlines the current state of Tehran’s capabilities. CISA Director Christopher Krebs reshared a statement from June on Iranian cybersecurity threats, tweeting that it's "time to brush up on Iranian TTPs and pay close attention to your critical systems, particularly ICS." Tehran claims to have some 100,000 "cyber warriors," and while this number is almost certainly considerably exaggerated, Iran’s capabilities in cyberspace aren’t negligible. Most of their attacks in recent years have been directed against regional rivals, especially the threat group OilRig’s campaigns against Saudi targets, but Iranian groups have hit US targets in the past. The US Justice Department, for example, in February of 2018, secured Federal indictments against nine Iranian nationals associated with the Mabna Institute, an organization that serves as a cyber operations contractor for the Revolutionary Guard Corps. Charges included “conspiracy to commit computer intrusions; conspiracy to commit wire fraud; computer fraud - unauthorized access for private financial gain; wire fraud; [and] aggravated identity theft.” The indictment alleges that their victims “included approximately 144 universities in the United States, 176 foreign universities in 21 countries, five federal and state government agencies in the United States, 36 private companies in the United States, 11 foreign private companies, and two international non-governmental organizations.” This of course represents a small sample of what Tehran’s cyber operators might be capable. Note especially the implications of CISA director Krebs's tweet: industrial control systems would be attractive targets.
APT37 versus Windows (advantage Microsoft).
Microsoft has confirmed that APT37, the North Korean threat group Redmond tracks as "Thallium," has been aggressively pursuing Windows users, and that Microsoft has seized fifty domains Thallium used in its espionage campaigns. Microsoft identified a network of domains, websites, and computers that were used by Thallium to "to target victims and then compromise their online accounts, infect their computers, compromise the security of their networks and steal sensitive information."
Most of Thallium's targets were located in the US, Japan, and South Korea, and included "government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues." The threat group uses spearphishing to compromise accounts and to distribute malware. Once they've compromised an email account, the attackers set up mail forwarding rules so they'll keep receiving victims' inbound email even after they've lost access to the account. Microsoft recommends that users check their email forwarding rules for any suspicious activity.