Why Iran Is a Scaredy Cat Cyber Chicken

U.S. authorities and security firms have spent the past few weeks pumping out nonstop warnings about an increased threat of Iranian cyberattacks targeting U.S. critical infrastructure. At the time of writing, these attacks have not materialized. Given the U.S. has already dropped very real bombs, we think Iran has good reason to avoid escalatory cyberattacks.

Disruptive cyberattacks can be useful because they cause harm and they are also hard to stop or deter. Iranian groups have carried out these kinds of irritating attacks in the past. But there's a caveat. These types of attacks are useful and worthwhile before bickering between states escalates to armed conflict.

Back in December 2023, for example, an Iran-linked group calling itself the Cyber Av3ngers disrupted water facilities across the U.S. by hacking Israeli-made Unitronics programmable logic controllers. These devices are important because they are used to control and monitor operations at water processing plants. Still, in this case, the incidents were annoying rather than destructive or disastrous.

In response, the U.S. government sanctioned senior officials who it said were responsible at the Iranian government's Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).

At the time of the hacks, we wrote:

There is an argument here that a robust response is needed to try to deter hackers from meddling with US critical infrastructure. In this case, however, the hacking is akin to digital graffiti and is not reported to have had any serious impacts.

A military response to these hacks would have been an overreaction. Hence, a few months later, the U.S. government dropped sanctions, not bombs.

That ability to cause adversaries some pain without triggering a military response is part of the appeal of cyber operations. A Google report examining Iranian cyber operations against Israel described them as "tools of first resort" because they provide:

a lower-cost, lower-risk way for rivals to engage in conflict, gather information, disrupt daily life, and shape public perceptions — all while still remaining below the line of direct confrontation.

The recent U.S. strike against Iranian nuclear facilities makes it clear that military action in response to any serious hack of U.S. critical infrastructure is very much on the table. Iranian hackers will have to wonder if that "line of direct confrontation" even exists any more, let alone whether they can stay under it.

President Trump posted on Truth Social: "ANY RETALIATION BY IRAN AGAINST THE UNITED STATES OF AMERICA WILL BE MET WITH FORCE FAR GREATER THAN WHAT WAS WITNESSED TONIGHT."

So far, at least, it seems Iranian groups are treating Trump's post as a credible threat. It is in ALL CAPS after all. At the time of writing, we've seen only one notable cyber-related incident. A persona named Robert has threatened to leak emails stolen from Trump's associates. Robert leaked emails to journalists in the final months of the 2024 presidential campaign and a Department of Justice indictment alleges that three Iranians working for the IRGC were responsible for that incident.

These types of hack-and-leak operations are very unlikely to elicit a military response, so it makes sense this is where Iran's cyber efforts are focused for now.

Universal Surveillance Is Here, and the FBI Just Don't Care

A new report from the Department of Justice Office of Inspector General (OIG) has laid bare the FBI's lackluster efforts to adapt to the rise of what it calls ubiquitous technical surveillance (UTS). It found the agency isn't doing enough to protect its operations from this rising threat, and worse, the FBI just doesn't seem to care.

The FBI defines UTS as "the widespread collection of data and application of analytic methodologies for the purpose of connecting people to things, events, or locations."

One striking example of the impact of UTS on the bureau's work describes how its operations were compromised by a Mexican drug cartel:

In 2018, while the FBI was working on the "El Chapo" drug cartel case, an individual connected to the cartel contacted an FBI case agent. This individual said that the cartel had hired a "hacker" who offered a menu of services related to exploiting mobile phones and other electronic devices. According to the individual, the hacker had observed people going in and out of the United States Embassy in Mexico City and identified "people of interest" for the cartel, including the FBI Assistant Legal Attaché (ALAT), and then was able to use the ALAT's mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT's phone. According to the FBI, the hacker also used Mexico City's camera system to follow the ALAT through the city and identify people the ALAT met with. According to the case agent, the cartel used that information to intimidate and, in some instances, kill potential sources or cooperating witnesses.

At first glance, this is real movie-hacking stuff.

But the report doesn't go into detail about the specific techniques used by the "hacker." They may easily have been unsophisticated from a cyber perspective. For example, a Vice report from late 2023 says Mexican criminals were relying on corrupt officials to access a law enforcement platform to obtain phone call records and locations.

Internet-connected cameras are also easily compromised, and they have been widely hacked in the Russia-Ukraine war, in the Israel-Iran war, and by Hamas to collect intelligence in preparation for its Oct. 7, 2023, attack against Israel.

The OIG's report notes that:

Although the risks posed by UTS to the FBl's criminal and national security operations have been longstanding, recent advances in commercially available technologies have made it easier than ever for less-sophisticated nations and criminal enterprises to identify and exploit vulnerabilities created by UTS.

The El Chapo incident occurred in Mexico, but UTS is a risk everywhere. In 2021, for example, a Catholic substack publication used notionally anonymous app data to identify an American priest as a Grindr user. In 2024, researchers used smartphone geolocation data to find devices associated with the U.S. Securities and Exchange Commission, and track visits to the headquarters of publicly traded firms.

The FBI isn't the only national security agency that has struggled with UTS. Officials from the CIA told the OIG that the threat was "existential" for the organization.

A Washington Post article from May described the challenge the CIA faces while operating in China:

Beijing alone is believed to have more than 1 million CCTV cameras. One former U.S. official who recently visited the city said there were so many cameras on the street it felt like being in a TV studio. The cameras are often paired with sophisticated facial recognition programs that can simultaneously track millions of individuals.

Incriminating data can live forever online, said Glenn Chafetz, a former CIA officer who served as the agency's first chief of tradecraft and operational technology. A hostile intelligence service such as China’s could discover days, or even months, later that a traitor in its ranks had met with a CIA officer by running big data feeds from cameras across the country through sophisticated artificial intelligence filters. "You have to be perfect now, in order to be clandestine ... perfect forever, before any op, during the op and forever after," Chafetz said.

While the CIA and FBI both face the same UTS challenge, there is a clear difference in care factor between the two agencies. The CIA actually believes that tackling UTS is important, because it's accustomed to operating in hostile environments. Ensuring the safety of its sources is a prerequisite for its long-term success. Screwing up and getting agents arrested or killed would drastically reduce the chances of successfully recruiting future spies.

Former CIA Director William Burns created a UTS Center to tackle the challenge of widespread surveillance, although the puzzle remains unsolved, former agency officials told the Washington Post.

By contrast, the FBI typically operates domestically where it is top dog and hasn't historically faced the same surveillance concerns that the CIA does. The overriding impression the OIG report leaves us is that the FBI is approaching the challenge of UTS as a box-ticking exercise. While former FBI Director Christopher Wray described UTS as a "Tier 1 enterprise risk" and ordered an internal review, a 2023 red team produced a gap analysis document that was shockingly brief.

The OIG described the document as "a single page of high-level, generalised vulnerabilities" and that it "contained no details, explanations or analysis." The entire redacted gap analysis is reproduced below.

Red Team gap analysis, source: FBI

That red team gap analysis became the basis of an FBI draft mitigation plan. The OIG's assessment of this plan is damning:

[T]he resultant OIC-led [Office of Integrity and Compliance] Red Team and the gap analysis it performed appeared to identify only high-level gaps in the FBl's policy and training, potentially leaving unaddressed many UTS vulnerabilities to the FBl's personnel, investigations, and operations. Because the Red Team's subsequent draft mitigation plan was based on its gap analysis, we have corresponding concerns about that plan. We also have an independent concern about whether the draft mitigation plan will result in any mechanism at the FBI that will better position it to respond to the evolving UTS threat in the future[.]

That's one hell of a bureaucratic burn.

The newly released OIG report makes four very reasonable recommendations: Do a better job of clearly identifying UTS vulnerabilities, devise a plan to address them, identify people to carry out said plan, and ensure the right people get the training they need.

It's not rocket science!

The FBI's response when given a draft version of the OIG's report was telling: It "did not agree or disagree with our [OIG's] recommendations."

Care factor: Zero.

Three Reasons to Be Cheerful This Week:

1. Cyber insurance premiums down: Premiums in 2024 declined by 2.3 percent compared to the year prior, but insurers still remain profitable. If you are optimistic, this could signal that cyber incidents are becoming less damaging and/or less frequent. Another possible explanation, though, is that large businesses with a good security track record are confident enough to self-insure and therefore aren't paying premiums. We're not sure, but at least premiums aren't going up. Cybersecurity Dive has further coverage.
2. U.S. cracks down on North Korean laptop farms: The Department of Justice this week announced actions it had taken to crack down on North Korea's fraudulent information technology worker scam. These include an arrest, two indictments, and the searches of 29 suspected laptop farms across 16 states. The Record has further coverage.
3. Making Windows more resilient: Microsoft has announced a range of measures to make Windows more resilient. These include making Windows more secure, making it easier and quicker to recover from crashes, and getting antivirus companies to commit to specified safe deployment practices.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq talk about how Microsoft has embraced digital sovereignty and is bending over backward to satisfy European tech supply chain concerns.

From Risky Bulletin:

US sanctions another Russian bulletproof hosting provider: The Treasury Department has sanctioned the Aeza Group, a well-known provider of bulletproof web hosting services for malware, disinformation campaigns, and dark web marketplaces.

Sanctions were levied on the main company, three subsidiaries, its three owners, and a fourth high-ranking executive.

Officials have linked Aeza Group's server infrastructure to the Lumma, Meduza, and RedLine infostealers, the BianLian ransomware, and the BlackSprut dark web drugs marketplace.

The sanctions don't mention anything about Aeza hosting disinformation campaigns, but Correctiv and Qurium investigations linked the company to a Russian disinformation group known as Doppelganger.

[more on Risky Bulletin]

Scattered Spider goes after aviation sector: Individuals associated with a large cluster of hackers known as Scattered Spider (Muddled Libra, UNC3944) are targeting companies in the aviation and transportation sectors.

The group, which was previously very active in 2023 and had some members arrested in 2024, saw a resurgence in activity this year.

It returned with a bang with attacks that targeted U.K. retail chains, moved to go after U.S. retailers, and then targeted U.S. insurance businesses before a new change in targets this month.

Google, Palo Alto Networks, and the FBI have put out public statements on Friday warning about the group's new shift toward aviation.

[more on Risky Bulletin]

Phishers abuse forgotten Direct Send feature: Phishing gangs are abusing a little-known Microsoft Exchange Online feature to send malicious emails to Microsoft 365 tenants and their employees.

The feature is named Direct Send and allows hardware devices inside a company's network to use the Exchange Online server to send emails. It is typically used by printers and scanners to send scanned documents via email or by phone or video conferencing applications to send invites and reminders to participants.

[more on Risky Bulletin]