Unit 42's Iran Threat Brief: What We're Seeing
Justin Moore: The most important thing to remember today is verify claims, stay educated, but do the basics.
David Moulton: I'm David Moulton, and this is Threat Vector. Today I'm speaking with Justin Moore and Andy Piazza from Unit 42. Unit 42 has published a threat brief on Iran-linked cyberactivity, and these two are walking me through what the team is actually observing; which groups are active; and what defenders should be doing. Justin, Andy, welcome to Threat Vector. Really glad to have you both here today.
Justin Moore: Thanks for having me, David.
Andy Piazza: Yeah. Thanks for the break in the chaos. This is a good slowdown to have this conversation.
David Moulton: I know it's been a busy day for you today. I appreciate you giving me a few minutes to walk through the threat brief. Tell me what it's been like inside of Unit 42 threat intelligence the last few days.
Justin Moore: Chaotic, busy, a lot of typing, and a lot of collaboration, lot of communication, trying to keep abreast of everything that's going on, you know, making sure that we're doing everything we can to protect our customers and that we know everything that's happening that -- that we can stay ahead of. So keeping us up late at night and early in the morning.
Andy Piazza: Yeah. Piggyback off that, I think Justin and I both being former OPS folks, we thrive in chaos. So it's kind of been our sweet spot. Lot of coordination. You know, we call the -- internally, we call this a rapid response. And I think, every time we do one of these within the organization, it gives us a really good opportunity to collaborate and work with some really, really smart peers across the company, right, product side and services side. So, despite the stress and everything that's going on, it's a really, really cool opportunity to make an impact for our customers and get to know the company a little bit better internally and work with some really smart folks so.
David Moulton: Before we get into the specifics of this threat report, I want to help our audience understand how your roles connect. Justin, you're leading the rapid response right now, and our Fusion Intelligence Team. And then, Andy, you're leading Threat Research for Unit 42. How do those two functions work together when Unit 42 is publishing a brief like this one?
Andy Piazza: I'll try to tackle that. Let -- let Justin expand on his role for a rapid response perspective. But, day to day, I have the traditional threat researchers within Unit 42. We're the ones that are going out into case data; customer telemetry, if they have it turned on; coming in house. And we're the ones trying to understand the intelligence picture, big, big picture, down in the technical weeds. I won't just say strategic but really understanding the attack capability of threat actors that we see through Palo Alto Networks products and services. We're -- we're the ones that are going to drive a lot of the original research, and then trying to make sense of that is Justin's kind of Fusion Intelligence role is taking what we're seeing plus what the rest of the vendors are seeing and partners in information sharing circles, trying to fuse all that together to make a bigger intelligence picture. But I'll hand to Justin to explain the chaos of running a rapid response, too, and how that plays in with us.
Justin Moore: Yeah. So rapid responses are kind of a lot of fun. It's very much like herding cats. So it's very much, Dave, what does Unit 42 know about this specific instance, you know, this threat activity, this vulnerability. And that means pulling in resources from every single one of the teams within Unit 42 that also generally culminates in a threat brief for the website. So that way we can inform -- inform our customers of what we know, how they are defended, and also to let them know that we're paying attention to the landscape, right? And so we're able to leverage Unit 42's and Palo Alto's product suite to bring me the best intelligence. So that means a lot of monitoring and a lot of communication.
David Moulton: So, Justin, the brief notes that Iran's internet connectivity dropped significantly. Walk me through what Unit 42 is observing as a result of that and what it means for how defenders should be thinking about this threat landscape.
Justin Moore: Well, I think the most interesting part of that is, right, Iran has been without near internet for over 72 hours at this point. So the majority of activity that we're seeing is actually coming from outside of the country, right? So you're globally dispersed or regionally dispersed activists have jumped on board, and -- and they're the ones that are kind of carrying the weight of retaliation right now.
David Moulton: I know that the brief mentioned that state-aligned cyber units may be acting in operational isolation. What does Unit 42 actually observe when that happens?
Justin Moore: I think, well, that's a little bit of a tougher question, only because this is a unique situation. The ground truth in Iran right now is that they're very much cut off. There are a lot of leadership changes going on, and that means the individual units are more likely to have to take a more operationally autonomous role in conducting operations. This is probably a position they're not used to, and so that kind of changes the calculus significantly for them.
Andy Piazza: Yeah. I would add, too, it goes -- goes back to the -- my comment about noise. Like, we're seeing the pro-Iranian activists, a lot of activity from them where with a nation state actor, especially when things are kinetic, right, while missiles and bullets are flying, you know, this is a little bit of projection. I'm not saying this is what they're doing, but primarily a military unit or government intelligence unit is going to be more worried about, you know, collection and intelligence and -- and those types of activities. That's when we talk about dwell times of eight, nine months, not 24-hour impact type of thing. So seeing that those espionage access, if that exists, is much harder when you're in the middle of a DDoS, right, or we're dealing with defacements and stuff like that. So this is that part where those units may be active. Even with their internet out, they may be acting outside of their country, forward deployed. But it's a lot harder to see intelligence collection happening when there's so much going on from a defacement and, like, disruption standpoint so.
David Moulton: So the brief names a fairly large group of active threat actors. I think it had Handala Hack. It had Dark Storm Team, Dynet. There were some pro Russian groups. And coming to mind, one of them is Cardinal. Walk me through how Unit 42 is categorizing and tracking these groups, and what does observed activity from each of them actually look like.
Andy Piazza: So, traditionally, we do have our attribution framework; and we use our constellation names for threat actors that we track over time. We have a great threat research article out there on our methodology for that. When it comes to, one, rapid response and quick turn, we're not going through that mature process. We're going to report as quickly as possible. And, two, when it comes to what I kind of call these self-named groups, when it comes to activists, they give themselves their own name. Like, it's much easier just to stick with those. So these are often names that they'd given themselves or maybe the community has given them, and they're kind of the common names that people are tracking. Sometimes it's just literally associated with either a handle on a platform that one of their actors used or the actual name of a chat group that they have set up. But the big thing that we've, I think, the last 72 hours been really trying to understand is, origins of these group, are they, you know, pro-Russian, pro-Iranian because this does give an opportunity for other actors to take -- take advantage of the situation. So we're trying to categorize the types of attacks and start validating some of their claims. Again, a lot of these are claims. They haven't necessarily been validated. So our teams right now are bringing in all these links, getting them into spreadsheets, right, because Excel is the master intelligence tool of it all and sort of categorizing, right? Is it valid? Is it -- need further evidence and then what type of attack claim it is so we can start kind of categorizing DDoS versus, you know, distributed denial of service versus defacements versus threats. There's some hack-and-leak claims, those types of things. And so we just want to categorize those. Yeah. Justin, anything to add there?
Justin Moore: Yeah. I mean, just to piggyback on what Andy was saying, I think the most important piece there is verifying the claims spread. A lot of claims are occurring. Groups are very well-known to exaggerate access, exaggerate impact. And so that's one of the things, you know, for downstream, you know, possibly impacted entities, right, be aware that just because they've claimed access doesn't mean they have access. So it's definitely important to be on top of, you know, robust communication plan, scoping and determining whether or not they actually have access or they just wanted to look really good so.
David Moulton: So Handala Hack stands out because -- in the brief because it's reportedly sending death threats to US and Canadian individuals, and it's claiming that they have shared the home addresses of those folks with physical operatives. What has Unit 42 actually observed from this group in terms of activity and capabilities, and what's the practical implication for organizations?
Andy Piazza: Yeah. You know, I think with -- with any of these claims, again, there is a matter of we need to continue to monitor them and try to validate them, first off. Second, I do think it is an escalation of threats that we have not seen in previous conflicts in general. So that is -- it's something new. I think, overall, this situation with the conflict today is much different than we've seen in previous conflicts with Iran. And I want to point that out because, as we get into talking about whether it's cybercapabilities or these death threats, the rule books out, right? They are a country that's under attack. We do not know how they are going to respond. These pro hacktivists are going to respond differently than we've seen in the past. They may feel like this is a gloves-off situation, and those red lines don't exist anymore. I do think because we're talking about physical threats, those are things that we need to talk -- take seriously and consider, you know, our OPSEC or PERSEC, or operational security and personal security, a little bit more. We've seen, you know, ransomware groups do some of this stuff in the past. But they -- for the most part, they've either not been taken seriously or haven't bore -- actually bore fruit. But with the situation now, if, you know, Iran's been a state sponsor of terrorist organizations in the past, there's no telling. I think this is a little bit -- when it comes in the physical threats is a little about -- bit outside of our expertise for Unit 42 perspective. I really just encourage folks to look at their cyber hygiene to help protect that data of, you know, where they live; and think about what they're posting to social media, especially if they're outspoken against the conflict in Iran. I think you have to consider yourself a heightened target. Like, ensure your personal accounts are -- you know, enable multifactor authentication. Protect your privacy. Protect records as much as possible. Little harder with US. I'm not sure about Canadian laws but US with our home records and yellow pages and all that information being out there. But we can also make it a little bit harder by not, you know, posting to social media where our home addresses are and things like that. So, if you're going to be public facing and -- and talking against the regime, you should take some additional precautions.
David Moulton: Andy, if you've received a physical threat, a death threat from one of these groups, what should you do?
Andy Piazza: I think, if individuals are named, they need to take it seriously and consult with local law enforcement. Make sure -- report to the FBI as well. But I would definitely talk to local law enforcement. They understand your -- your persona, why you might be involved in the threats. You know, talking to local law enforcement about the security of your house, if you've got, you know, security systems, those types of things, just making sure that you've touched that -- touched base with -- with local law enforcement and -- and federal, as well, since this is an international thing. I would definitely touch base with the FBI as well.
Justin Moore: I'd also like to just jump on there and say, too, that social media accounts are an immediate place for -- you know, for threat actors to go. So, you know, if you have been targeted, ensuring extremely high levels of cyber hygiene; change passwords; ensure that you're not -- that you're paying attention to phishing emails, SMS messages. You know, just kind of the basics of cyber hygiene will go a long way protecting you.
David Moulton: What are the TTPs and IOCs Unit 42 is tracking that defenders should be watching for, regardless of where their organization is located?
Andy Piazza: Well, I definitely think more of the TTP side is, you know, higher -- higher level is the disruption; is understanding your supply chain as far -- far out as possible and what those impacts could be, right? We've seen a data center literally destroyed, right? That might not be in most people's threat model. And so understanding, right, as the US always jokes around, when US East One goes down and East Coast loses access to most social media and Netflix, if you're regionally based, understanding where your backbone is and, if you lose network, do you have, you know, satellite comms or secondary communications for especially critical systems? I would look at some of those relationships that may be under stress. If you have, you know, shipping relationships or if you're an -- especially energy company operating in the Middle East, right, those are heightened tensions. Expect delays in any transportation going through that region. A lot of those things that are kind of non -- non-cyber may be impacted from just the fact that there's geopolitical situation going on. I mean, we've got closed airspace that's going to reroute airplanes, closed shipping routes, those types of things; you're going to slow down transportation. So understanding impacts to the greater business and supply chain from that perspective I think is important. From the cyber kind of side of things, understanding your ability to protect from disruption for DDoS, distributed denial of service attacks; recover from destructive attacks, right. Do we have backups? Are they tested? If you get a -- you know, a wipe out or wiper deployed from Iranian actors, you know, how are you going to respond? Are you prepared? Have you tabletopped that? Do you actually know where the backups are and that they work? Those types of things I think would be the conversations I would be having with my security team right now.
David Moulton: For the CISOs that might be listening who don't see an immediate connection between their organization and this activity, how do you help them understand whether they have actual exposures?
Andy Piazza: Yeah. I mean, the -- this is one of those situations where, you know, prevention goes a long way. And so understanding this long before there's a conflict, I think, is definitely important. However, now that we are where we're at, having an understanding of, you know, it's eating your vegetables and, you know, exercising every day, right? What's in your risk register? What are we prioritizing? You know, I think this shortens the response timeframe of being able to do some of those things on the risk register. But I don't think it's a novel net new risk for -- for most companies. If this was on the radar, it should have been on their radar years ago or at least months ago. Yeah. Like I said, it might speed up how they respond and what they do. But I would really encourage them to look at the fundamentals and ensuring that they have MFA in place, that they have patching and prioritizing patching of edge devices. All of the traditional initial access places I think are very important. I don't think any of that shifts just because of the kind of time-based pressure. From a threat landscape perspective, especially with the hacktivists, pro hacktivists, and the third parties who may be taking advantage of the situation. I do think it changes the threat landscape of who or what we call, like, a threat model of who may impact your organization normally. Normally, you worry about, okay. I have these critical assets, and these are the type of actors who care about these critical assets. But, when there is an armed conflict, it's more of an acting out situation. And so I think it -- any organization that deals with the energy sector, deals with the Middle East, telecoms, they all need to be on heightened alert. But then anybody who uses energy or telecoms needs to also understand what those impacts could be, too, right? There's a lot -- I mean, unfortunately, there's no company that exists on its own on this planet, right? Every -- everything is connected. Sometimes that is literally as a network trust connections. They are connected to their supply chains. And so we have to think about it holistically and what are those measures that we can prevent or detect and respond and kind of slow down those breaches inside of our network.
Justin Moore: So, you know, also, with that said, for CISOs, it's understanding anyone who's doing business internationally, any sort of upstream target is going to have downstream impact, right? So international logistics companies, every single one of those international vendors, right, that -- that will end up coming back to haunt you downstream, right, if you're not paying attention. And, like Andy said, that doing your job is -- is understanding your risk, so hopefully that -- that's already been -- that's already been considered but also understanding that, because this is -- this is a wider spread operation here for a lot of these groups, that it doesn't take anyone off the table. And that means that you may unexpectedly be impacted by an upstream vendor of yours.
David Moulton: Andy, you were just talking about security hygiene, the very fundamentals, right, like having air gap backups or looking at your phishing training. Those are some things that, you know, have to be done before this becomes a real threat that you're facing. But I'm wondering, you know, not new recommendations but which of those are directly tied to the TTPs Unit 42 is observing right now, and/or which would you prioritize within your controls as a space to -- to focus on?
Andy Piazza: So I think, because of the threat of disruption, I think resilience, anything resilience, if you've got DDoS, protection, those types of things is something I would -- I would crank up to an 11 right now and then recovery operations, the air gap backups and testing your recovery capabilities because we don't know if -- we know Iran has used destructive malware in the past, and we don't know when and where those are coming from next, right? So I would definitely be prepared for those types of things. So prevention, get -- get ahead of it from a can we stop the DDoS and continue to have our network operate and then also being able to respond and recover from a major, major event using backups and recovery.
David Moulton: I'm curious, as you're watching this situation unfold and you go back to some of the similar situations in the past, where do organizations make mistakes? Where are they tripping up consistently that you would call out today to give them a little -- little bit of a heads up on what to look out for?
Andy Piazza: Burnout. Definitely burnout. You can't be intelligent if you're not sleeping and eating and getting up and moving. I don't know if we're dates three or four or seven at this point, and it's a good reminder for myself. Leaders -- leaders need to start thinking about what is the rotation schedule? Are -- you know, Justin's starting to look a little bloodshot in the eyes. When was the last time he slept and ate and got up and got some water and making sure that we're forcing people away. It's really, really easy to burn folks out. And, you know, the more tired we are, the more mistakes we're going to make. We're not going to be -- be intelligent if we're not getting the right calories in recovery. So take care of your people right now. You know, this is a major crisis. Absolutely. But, if your network is not under threat right now, you should not be in a war room and incident response bridge on every day. You should be taking care of your people. And be prepared and have enhanced monitoring; but let some people get some sleep, or you're not going to be there when you need to be responding.
Justin Moore: A lot of that, too, just go back to the basics, right, when it comes to cyber hygiene and policy. You know, make sure your IR plan is solid. Make sure you have a response plan. Make sure you have a comms plan. You know, ensure that you've conducted asset management. You patched everything. You know, a lot of this comes back to the -- to the basics. And that'll -- that goes so far in the long run. I think that's really good advice all the time but especially during a crisis is to make sure that your plans are in place and your teams aren't burning out. This could be one of those things that, given the personalities I've observed in security, you're mission-driven. And the mission's over when the mission is over, not when you're tired. But you're right, Andy. Not enough sleep, it's -- it's whatever the opposite of intelligent is, at least for me, when I've not caught enough -- caught enough shut eye.
David Moulton: No situation is made better by being tired so.
Andy Piazza: Yeah. That's true.
David Moulton: The brief includes some recommendations that are different from -- from technical ones: Prepare to validate and respond to claims of breaches or data leaks because the threat actors may be using false or those exaggerated claims. You guys have covered that quite a bit, you know, to validate. What does Unit 42 observe about how these claim cycles play out, and what does a good organizational response look like?
Justin Moore: I think one is -- is understanding that you're still allowed to lie on the internet,, so don't take them -- you know, don't burn all of your resources trying to jump on these claims. This is the same thing we've seen with the hack and extortion groups, the ransomware groups. You know, they have -- we completely compromised this entity, this organization; and we find out it was like a third-party database that was three years old from testing, right? So bad guys still lie on the internet. Do not burn all of your resources. Try to react to that. Take a systematic approach. Look at the data. Usually from the data, you can tell what type of database it likely came from. Go check that database for signs of compromise. Be systematic about it, and don't be reactionary. You know, some of these false claims are literally to stress people out. And so I'll just say don't let the bad guys win, and take a systematic and measured approach to it.
Andy Piazza: Great organizational response is to continue doing what you're doing. Do do the right things at all times, right? Don't -- don't make a situation out of -- out of a claim, and do your best to maintain a pretty positive but, you know, diligent posture, right? Make sure that the SOC is doing their work. Make sure that you're in touch with your vendors. You know, make sure that you're paying attention to third-party risk. You know, consult with legal and policy in your -- in your companies, comms, things like that; you know, and continue to stay abreast of what's going on. You know, read. Ensure that you know what the landscape looks like right now. The landscape is heavy hacktivist activity, so that's a great thing to know. The majority of that has been, you know, very much in the realm of -- of DDoS, right? So being aware of that and the potential impact, that's going to set you up for success.
David Moulton: Have you guys seen any cases where a really well-handled public response to a hacktivist claim reduced the attacker's impact?
Justin Moore: There are -- there are a lot of exaggerated claims, even DDoS claims, right? You may have a 12-minute downtime on a website that could be considered a win for a hacktivist group. But if your -- if your comms plan, you know, ensures that you're coming out to say, well, this is actually only a 12-minute -- 12-minute downtime. Or kind of related to what Andy was talking about earlier where, you know, it was really a two-year-old breach that, you know, had been posted online and then aggregated with some other data, and then it comes back out. You know, for companies to get ahead of that, it not only mitigates the impact to your organization reputationally in the moment, but it also degrades the ability for those hacktivists to continue to exaggerate over time. And so it discredits the group in its future operations.
Andy Piazza: Yeah. I will say, without naming names, a comms plan can -- can make or break a company's response. They could have the best response in the world from an IR and protected perspective; and their comms plan or team botches it, and it -- it looks horrible, right? Or -- we've all -- we've all gotten the, oh, there was no major impact. And a week later, like, 5 million records; and then, two weeks later, 10 million records, right? Like, it just keeps getting worse. And you get the letter in the mail; and it was, you know, everything, including your DNA test. So I would encourage companies to have a solid, tested comms plan. Go look at other examples. Obviously, there's a number of firms like ours that will -- will consult and help them with those types of things. But those comms plans are things that you can have in place ahead of time. You should not be trying to write a PR response during an incident, just like you should not be trying to write an incident response plan during an incident. Have those -- as much transparency as possible I think is really, really critical. Most -- most of the time in this industry, you're going to get judged on how you handle your communications way more than how you handle the breach itself. Yeah. You handle your response in life is up to you, and what happens to you is sometimes out of your control.
David Moulton: Well, you've mentioned -- you've mentioned this idea of having a really good comms plan, and you've talked about validating some of the claims and not over-rotating on them. Are there maybe two or three other concrete actions that you would recommend to our listeners that move the needle most based on what Unit 42 is actually observing?
Justin Moore: Yeah. I want to go first on ensuring companies are educating and reconfirming with their employees that they're paying attention to their social media. They're paying attention to phishing attempts. Cognizance and diligence is where I would be looking for right now. Those are the easy -- easiest access vectors in a lot of places, right? And we're talking mid-60% of compromises are based on phishing. So that's a huge vector. So, looking at that, it'd be the first place I look to and then ensuring, right, all of the same things, right. Your plans are ready to go, and you're ready to respond when needed to.
Andy Piazza: I'm a big proponent of multifactor authentication, especially for remote access, evaluating remote access, and ensuring that any temporary exceptions as a policy were actually closed. There's nothing more permanent than a temporary exception to policy. So, if someone got a waiver that they didn't need to patch the server when -- when the patch came out, or there's a waiver for remote access without MFA, go back and evaluate those right now and double check that they're justified and still needed in place because that's often where we see the biggest gaps is bad guys will find that the one account that got the exception of policy for multifactor authentication, they'll find the one server that didn't get updated. It's better that you do your asset and identity inventory than letting the bad guys do it. So double check that. Like I said, CISOs have the risk register. They probably know where the problems are. They don't need us to point at them. But I think it's -- it's really easy for us to go look at the shiny thing and go, What's that? You know, just like Jim Guidance, right? What's that one secret? It's like, show up and do it every day. Wait. What? No, no. But what's the secret? Patch. Audit. Secure. That's it. Every day.
David Moulton: For listeners who want to be able to stay current on what Unit 42 is seeing, I want you to go to our Threat Research Center and read our blog. It will continually be updated as we know more and as we validate what we know. The link to that will be in the show notes. Justin, Andy, thanks for coming in today, giving me some of your time, and sharing what you've observed in this unfolding situation. With the Threat Vector audience today, I appreciate you both coming in and -- and answering my questions.
Justin Moore: Thanks for having us on, David. Appreciate it.
Andy Piazza: Yep. Appreciate the opportunity and the short break from all of the Slack messages and emails we probably missed. But we definitely needed it. We're going to take our own advice and hopefully get up and get some water after this.
David Moulton: That's it for today. If you like what you've heard, please subscribe wherever you listen; and leave us a review on Apple Podcast or Spotify. Those reviews and your feedback really do help me understand what you want to hear about. If you want to reach out to me about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer, Michael Heller; our content and production teams, which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. Goodbye for now.
