Priority: Medium
Executive Summary: Recent developments in the Middle East
Using ITC’s advanced Threat Intelligence tools, the ITC Secure Security Operations Centre (SOC) constantly monitors all our customers. Our alerting is configured to trigger on any potential hacking or defacement of websites related to our customers, or on market related issues.
On January 3rd, the State Department of the United States officially designated Iraqi militia Asa’ib Ahl al-Haq (AAH) as a terrorist organisation. AAH has been active in Iraq since the Iraq War and a number of attacks on US and allied forces have been attributed to it. AAH, like other high-profile militias in Iraq, are deeply connected to Iraqi economic and governing elites as well as the government of Iran. AAH is funded and trained by the Quds Forces sector of Iran’s Islamic Revolutionary Guard Corps (IRGC), which specialises in covert operations and unconventional warfare.
The designation comes the day after the United States carried out an airstrike that killed Qasem Soleimani, head of the Quds Force. Also killed in the attack was Abu Mahdi al-Muhandis, leader of the Popular Mobilisation Forces (PMF). The PMF, another powerful militia force in Iraq, was responsible for much of the civilian deaths in the suppression of protests in major Iraqi cities over the prior several months.
In addition to the designation of AAH, the militia’s leader Qais al-Khazali and his brother Laith al-Khazali were also designated as global terrorists. Qais al-Khazali was sanctioned by the US Treasury Department on December 6th. There are unconfirmed reports on al-Arabiya News indicating that Qais al-Khazali and Hadi al-Amiri, former Iraqi Transportation Secretary and PMF commander, were arrested by the US Marines in Baghdad in connection with the organisation of the December 31st attack on the American embassy in Baghdad. The initial article reporting of the arrests has been deleted.
The designation of AAH and the increased targeting of Iranian proxies and Iran-linked militias in Iraq are, at least partially, intended by the United States to force the Iraqi government and Iraqi elites to sever some, if not most or all, of their connections with these groups1
Since the death of Iranian military commander Qasem Soleimani, the ITC SOC has seen a marked increase in website defacements, all unrelated to our customers. The attacks seen to date do not appear to be targeted at any particular nation or industry sector; we have identified more than 60 domains that have been defaced so far. These range from scrap yards to humanitarian foundations.
The ITC SOC expects the majority of attacks to be targeted towards American companies and federal websites1, however the tactics being employed are designed to create the largest possible media presence of the commander’s death; we therefore anticipate attacks reaching beyond US targets.
Detect: The ITC Secure SOC are monitoring all managed services customers and via our threat intelligence tool. The SOC will alert customers in the event of attack. If you would like additional threat intelligence coverage, please talk to your Account Manager or Service Manager.
Prevent:
- Be aware; expect to see more attempted attacks, including phishing emails and web defacement
- Increase organisational vigilance; warn staff to expect more malicious activity
- Ensure staff know and understand how to raise any suspicious activity
- Ensure anti-virus or EDR protections are updated
- Ensure all patching is as up to date as possible across all technologies
- Consider blocking traffic from Iran at the network edge
- Contact ITC for support and advice if you are unsure
ITC have also been made aware of 237 IP’s3 which represent potential threat traffic from suspected Iranian IP networks. We at ITC have blocked these and would recommend blocking these IP’s where applicable to your network.
For our Managed Service customers, the ITC SOC will be reviewing and contacting customers for any changes required.
React: In the event of an attack, ITC Secure will follow the Severity 1 incident process.
Sources:
[1] https://www.recordedfuture.com/leading-threat-research/ (RF Insikt Group)
[2] https://www.bbc.com/news/technology-51008811
[3] http://itcsecure.com/wp-content/uploads/2020/01/ir-ip-list.txt
