Pro-Iran hackers appear to increase critical infrastructure cyberattacks

Cyberattacks against critical infrastructure from groups sympathetic to Iran appear to be ticking up, as the federal government warns that hackers may exploit vulnerabilities.

Last week, pro-Iranian hacking group Ababil of Minab claimed responsibility for a March hack on the Los Angeles County Metropolitan Transportation Authority, publishing claims on Telegram that they said showed them accessing LA Metro’s internal systems. The transit agency shut down access to some of its network after its security team found unauthorized activity, although officials said bus and rail service was unaffected.

The group's claims may be false. It is an “emerging” group “with a limited public profile and little verifiable prior activity in threat intelligence reporting — making any definitive capability or intent assessment premature at this stage,” said a blog post by Tim Miller, field chief technology officer for public sector at Dataminr, an artificial intelligence-backed platform that helps leaders track events, threats and risks in real time.

Still, Miller wrote, “What can be cautiously observed from available evidence is that their explicit pro-Iran messaging and targeting of a major US public transit authority is broadly consistent with Iranian-aligned actors’ known pattern of targeting US critical infrastructure."

Other experts that track such events are similarly cautious. “There is no clear evidence that the claim is legitimate,” said a spokesperson for the Multi-State Information Sharing and Analysis Center, which has warned of attacks on critical infrastructure by pro-Iran hackers.

Still, it is a worrying time for state and local governments and critical infrastructure operators, who have been waiting to see whether the ongoing U.S. war on Iran would draw retaliation by Iran-linked hacker groups.

"The threat of cyber-attack from Iran is real,” Andrew Chipman, governance, risk and compliance manager at cybersecurity company ProCircular, said in an email. “At this time, we expect to see that threat realized through proxies, hacktivists, and other allies to the Iranian regime. If Iran is able to build back their regime, we may see direct retaliation from Iran in the form of cyber-attacks against highly visible targets. History teaches us that hospitals and medical service providers are prime targets for the regime and its supporters. However, any critical infrastructure is a potential target.”

The alleged Iran-backed hack in Los Angeles preceded a April 7 warning from the Cybersecurity and Infrastructure Security Agency and a slew of other federal agencies that various operational technology devices used in critical infrastructure, including programmable logic controllers, have been exploited by bad actors linked to Iran.

The agencies said those efforts, which have at times “resulted in operational disruption and financial loss,” have been designed to “cause disruptive effects within the United States.” CISA and its fellow agencies said the targets have included government services and facilities, water and wastewater systems and energy.

“Iran using cyberattacks to probe and impact American utilities should come as no surprise,” Lt. Gen. Ross Coffman (Ret.), president of artificial intelligence company Forward Edge-AI, said in an email. “Iran is using its long-range targeting tools to fight in every domain possible. We must continue to harden our cyber defenses and remind employees that they are the first line of defense. Our government's cyber professionals are the best in the world, so Iran is probing daily to find an exposed flank.”

Ababil of Minab warned that their “forthcoming actions will exact sterner pain,” although Miller said in the blog post that those pronouncements should be “treated as unverified rhetoric until corroborated by additional intelligence.” Chipman said some form of escalation could happen.

“Iran is not currently in a position to wage large scale cyber warfare against the United States or its allies, but hacktivists and proxy attackers are plentiful — expect attacks to come and prepare appropriately," he said.