Hey there, and welcome to the cyber resilience brief, a safe reach podcast. The podcast is all about helping you build real world cyber resilience. I’m Tove Devoreen, and every episode, we unpack what’s working, what’s evolving, and what you can actually do to stay one step ahead of attackers. In this episode, we will be speaking to SafeBreach’s senior sales engineer, Adrian Culley, also our resident contact in the EU for our EU team, about the FBI advisory regarding Iranian hacking attempts released on June thirtieth twenty twenty five. Happy listening. Adrian. How are you today? I’m very well. How are you, Tova? I’m good. I’m excited. Let’s let’s talk about this Iranian hacking threat. Okay. Okay. Very timely. There was a brand new government advisory published by the FBI, the National Security Agency, and CISA earlier this week, so this is the first week of July, concerning Iranian cyber actors and vulnerable US networks, albeit it could be elsewhere around the world as well. They’re talking about a number of different Iranian threat actors, and not least of which, the Cyber Avenger group. Now, Avengers are very interesting. They have done a good job of trying to get themselves perceived as being hacktivists, but they’re actually very well known to be members of the IRGC, the Islamic Revolutionary Guard Council. In fact, six of their members are sanctioned by the FBI, wanted for their attacks. They’re specifically targeting regulated industries, those that use operational technology, IoT, two distinct things, but they can be conflated and they write very specific code that’s very nasty at tucking OT systems, particularly the water industry, particularly the aviation industry. And basically, the advisory from the government is saying now is the time to check the resilience of these systems against known Iranian threat actors. There’s other confidential intelligence that we’re likely to see some very high profile attacks in the very near future. In fact, they may already be underway. Now, that’s that’s not ambulance chasing, that’s not chicken looking the skies falling. What we’re saying is, now is the time to simulate and emulate these attacks to check our resilience and minimize the attack surface against these threat actors. Well, my understanding from the advisory as well is that it’s not just Iranian threat actors. Is that correct? That there might be other forces involved? So that’s a that’s a very interesting point. Attribution in cyber investigations is the most difficult thing and, in general, best left to government. There are some standard texts on this. A friend of mine, Richard Clayton, from the Cambridge University Computing Department did his PhD in anonymity and traceability in cyberspace a very long time ago. That’s available online, I recommend anybody who’s looking at attribution read this. There’s the Perkovich research on attribution, Thomas Rids attributing cyber attacks, very exhaustive. But all of these will tell you how difficult cyber attribution is and how easy it is to misattribute. However, when governments give us a steer on large threat intelligence firms, it’s worth listening. And what’s very, very interesting is when we see this increased activity from Iranian based advanced persistent threat groups, we’ve very well documented there’s a specific Russian group referred to as ‘Turla’ who piggyback on the Iranian activity. They’re very, very good at disguising themselves as being the Iranian threat groups, but they’ve got distinct separate attack techniques. So I would also recommend anybody who’s their cyber resilience in light of the advisory, not only covers the Iranian threat groups, APT thirty three, Elfin, APT thirty four Oil Rig, APT thirty five Magic Hound, APT thirty nine the Rana Intelligence Company, but they also address the Russian Turler Group, because it’s not at all a weak hypothesis that we will see increased activity from at least the Turla Russian group, if not Russian group other Russian groups in the very near future too. Okay. So what does that mean for people who are listening to this episode right now? What can they turn around and do to protect themselves? So, one of the techniques that’s used by Cyber Avengers is a piece of nasty malware that they created called IO controller. We actually have a TAP code that’s unique and specific to that, and we have customers running that attack code, checking if they are vulnerable to it, and then remediating with their security controls to close that particular door. We have an opportunity at the moment. The old cliche is closing the stable door before the horse is bolted. We have an opportunity at the moment. This horse, this Iranian horse, is yet to bolt. Please lock and bolt your stable doors. I mentioned a list list of attack groups earlier as well. We have as a safe breach, we have seventeen different distinct Iranian threat actors playbooks, code books. I’d recommend running all of those on a scheduled, continuous basis. We have at least eleven actionable code, attack code, government advisories concerning Iranian attack groups, again, I’d recommend exercising all of those and remediating any vulnerabilities that you have that are caught by these scenarios and playbooks. Now is the time. You know, the the advisor is very specific, is very intelligence informed. Now is the time to increase your resilience against these groups. Yeah. That’s a good point, Adrianne. And if if you’re a current SafeReach customer who’s listening to this episode, there are two things that you can do, by the way. One, you can look at the FBI advisory and cross reference for the specific attacks that we are describing here today and run them through the platform. Or on the off chance you’re listening to this and is at least a few days after this episode, you may see a preset scenario in your console. Just go ahead and run it. It has everything included. One stop shop. Absolutely, Tova. Also, reach out to your customer success team. They’re all fully briefed on this. They’ll happily guide you through this as well. There is a lot of goodness, a lot you can be doing to target, harden yourself, and increase your resilience before you’re attacked. The Cyber Resilience Brief is a SafeBreach podcast produced by Toby Devoreen and executive produced by Adrian Cully. Sound design provided by Adobe Podcasts. Distribution provided by Podbean, an extra support and love from the SafeBreach team. For more information on how adversarial exposure validation through SafeBreach can protect you and your business, no matter where you reside or what industry you’re in, please visit us at w w w dot safe breach dot com.
