Full Report
As combat operations that began on February 28 with joint US-Israeli strikes on Iran's military and leadership continue, cybersecurity analysts are turning their attention to how this 21st-century conflict is unfolding in the digital domain.
Analysis Summary
# Incident Report: Cyber Operations in the 2024 Iran Crisis
## Executive Summary
Following the commencement of joint US-Israeli kinetic military operations against Iran on February 28, a parallel escalation in the digital domain was observed. Iranian state-sponsored actors and affiliated "hacktivist" groups launched a series of retaliatory cyberattacks—including data wipers and ransomware-themed disruptions—targeting critical infrastructure and regional allies. The operations demonstrate a shift from traditional espionage to high-impact "influence and destroy" missions.
## Incident Details
- **Discovery Date:** February 28, 2024 (Coinciding with kinetic strikes)
- **Incident Date:** February 28, 2024 – Ongoing
- **Affected Organization:** Multiple (Critical Infrastructure, Government, Finance)
- **Sector:** Multi-sector (Energy, Utilities, Government, Defense)
- **Geography:** Iran, Israel, United States, and broader Middle East
## Timeline of Events
### Initial Access
- **Date/Time:** February 28, 2024 (Post-kinetic strike commencement)
- **Vector:** Exploitation of edge devices and social engineering.
- **Details:** Attackers utilized known vulnerabilities in VPN concentrators and public-facing web servers, alongside targeted spear-phishing campaigns.
### Lateral Movement
- Usage of legitimate Remote Monitoring and Management (RMM) tools (AnyDesk, RemoteUtilities) to bypass traditional security alerts.
- Credential harvesting via Mimikatz-style memory dumping and exploitation of cached service account credentials.
### Data Exfiltration/Impact
- **Destructive Payloads:** Deployment of wiper malware (e.g., utilizing `elrawdsk.sys` drivers) to render systems unbootable.
- **Influence Operations:** Exfiltration of sensitive data subsequently leaked on Telegram channels to demoralize civilian populations.
### Detection & Response
- **Discovery:** Detected via anomalies in outbound VPN traffic to Iranian exit nodes and the unauthorized presence of RMM tools.
- **Response:** Global cybersecurity firms (SpiderLabs) provided hunting queries and active monitoring for precursor activities like "PhysicalDrive" access.
## Attack Methodology
- **Initial Access:** Exploitation of N-day vulnerabilities and spear-phishing.
- **Persistence:** Unauthorized use of RMM tools (AnyDesk/RemoteUtilities) and scheduled tasks.
- **Privilege Escalation:** Exploitation of service accounts and illicit token usage.
- **Defense Evasion:** Use of legitimate drivers (ELDOS) for low-level disk access to bypass AV/EDR.
- **Credential Access:** Memory scraping and harvesting from compromised VPN gateways.
- **Discovery:** Internal network scanning and Active Directory enumeration.
- **Lateral Movement:** RDP hijacking and RMM tool deployment.
- **Collection:** Automated staging of document repositories and SQL database exports.
- **Exfiltration:** Use of cloud storage providers and Iranian-based VPN exit nodes.
- **Impact:** Deployment of disk-wiping malware and "false-flag" ransomware.
## Impact Assessment
- **Financial:** Significant costs associated with IR and system restoration for targeted utilities.
- **Data Breach:** High volume of government personnel data leaked via hacktivist channels.
- **Operational:** Disruption of industrial control systems (ICS) and public-facing utility services.
- **Reputational:** Erosion of public trust through highly visible digital defacements.
## Indicators of Compromise
- **Network Indicators:**
- Unauthorized traffic to/from known Iranian VPN exit nodes.
- Unexpected outbound connections from RMM tools (AnyDesk, RemoteUtilities).
- **File Indicators:**
- `elrawdsk.sys` (Raw disk access driver used for wiping).
- `eldos.sys`
- `trksvr.exe` (Disguised destructive payloads).
- **Behavioral Indicators:**
- Usage of `PhysicalDrive0` in command line arguments by non-system processes.
- Scheduled tasks (`schtasks`) created outside of standard maintenance windows (e.g., post-20:00 local time).
## Response Actions
- **Containment:** Disconnection of compromised edge devices and revocation of all VPN sessions.
- **Eradication:** Removal of unauthorized RMM software and driver-level blocklisting for ELDOS components.
- **Recovery:** Restoration of master boot records (MBR) and data from offline backups.
## Lessons Learned
- **Cyber-Kinetic Convergence:** Cyber operations are now a primary retaliatory tool used immediately following kinetic military action.
- **Living off the Land (LotL):** The reliance on legitimate RMM tools makes detection difficult without behavioral analytics.
- **Precursor Identification:** Destructive attacks are often preceded by specific disk-access drivers; monitoring for these files can prevent total data loss.
## Recommendations
- **MDR/EDR Hardening:** Implement specific detection rules for `elrawdsk.sys` and unauthorized RMM tool execution.
- **Vulnerability Management:** Prioritize patching of all edge-facing assets (Pulse Secure, Fortinet, Citrix).
- **Network Segmentation:** Isolate critical infrastructure/OT environments from the corporate network to prevent lateral movement of wipers.
- **Monitoring:** Implement geofencing or alerts for any authentication attempts stemming from Iranian-affiliated IP space.