Water ISAC Encourages Vigilance for Potential Retalitory Iranian Cyber Activity

Emergency Response , Rural Water News ,


WaterISAC Members:

In response to recent geopolitical events, WaterISAC encourages its members to be vigilant for potential threats to their facilities and operations. As reported in the news, earlier today the U.S. military launched a strike in Iraq that killed Major General Qassem Soleimani, who led the Quds Force of Iran's Islamic Revolutionary Guard Corps (IRGC) (read more at the Associated Press, The New York Times, and The Washington Post). Soleimani was one of Iran's top commanders and a major player in its military and intelligence operations abroad. Iran has vowed to retaliate against the U.S. for his death, although it has not specified what actions it intends to take.

WaterISAC has previously advised its members of the possibility for malicious activity by Iran, particularly in the cyber realm, against U.S.- based entities in retaliation for actions against the regime. In early April 2019, it reported on a TLP:GREEN Private Industry Notification (PIN) from the FBI following the U.S. government's designation of the IRGC as a foreign terrorist organization. The PIN assessed cyber actors operating in Iran could potentially take a variety of measures, from scanning networks for potential vulnerabilities to data deletion attacks, and it discussed the capabilities of Iranian cyber actors and offered recommended measures to deter unauthorized access to networks.

More recently, in late June 2019, WaterISAC communicated to its members about an advisory issued by Chris Krebs, the director of the U.S. Department of Homeland Security’s (DHS's) Cybersecurity and Infrastructure Security Agency (CISA), in which he indicated his agency was aware of “a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.” Krebs highlighted “destructive ‘wiper’ attacks” as a type of activity these threat actors are using increasingly. He stated, "These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing." Krebs added, "In times like these it’s important to make sure you’ve shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident - take it seriously and act quickly." He reminded his audience of CISA's tips and best practices for staying safe online, some of which WaterISAC highlighted in its posting on the portal about Krebs' advisory.

Additionally, WaterISAC recommends members ensure basic cybersecurity hygiene practices are in place, such as implementing strong passwords and patching software. WaterISAC also recommends members remind their organizations about the importance of not clicking links in emails from senders they do not know. For more best practices, consult WaterISAC’s 15 Cybersecurity Fundamentals for Water and Wastewater Utilities.

Please report any malicious or suspicious activities to WaterISAC at analyst@waterisac.org or 866-H2O-ISAC as well as to the appropriate authorities, including the FBI (via a local field office or cywatch@fbi.gov) and DHS CISA (via its online reporting form, email at CISAservicedesk@cisa.dhs.gov, or phone at 888-282-0870).

WaterISAC will continue to monitor for additional information and share as appropriate.


Charles Egli

Lead Analyst

Water Information Sharing and Analysis Center (WaterISAC)

24-hr: 866-H2O-ISAC

Office: 202-331-0469

Mobile: 919-619-1750