General Ghassem Soleimani in his life achieved great victories over Iran’s enemies and he died and achieved martyrdom in this path. Iranians expect revenge on the U.S. in the name of the martyr Haj Ghassem Soleimani and expect a cyber-attack to be part of the response. For this reason it is not a surprise that Iranian hackers defaced a U.S. government website in an act of revenge. It is unlikely that this defacement was part of a coordinated activity but probably was an opportunistic and isolated attack. The website defacement caused a big response in social media but probably not for the reasons that the hackers expected.
Details of the defacement
On Saturday the homepage for the Federal Depository Library Program (FDLP) changed for a short time. An amusing image of President Trump hit in the face by an arm with the IRGC logo was displayed with messages in both persian and english. The text confirm that the defacement retaliated against the criminals which murdered General Ghassem Soleimani and included Imam Khamenei’s statement of revenge. The website was taken down and the message was removed.
Image of the FDLP website defacement
What is the FDLP?
The FDLP gives free access to the U.S. federal government information. Hacking any U.S. .gov domain is considered a success by hackers but the FDLP website is not one of the most important of U.S. government website and this is probably the reason why it is hosted externally and not on government servers, which could have made it easier to hack.
Who made the defacement?
The text in the defacement stated that the website was hacked by a group called the Iran Cyber Security Group Hackers. It is not known if any other websites were targeted by the hackers. The limited scale and the limited impact of the activity suggests that this was not part of a coordinated large attack by a government-backed hacking group. The defacement text also states that the attack is only a small part of Iran’s cyber ability which is certain to be true.
Method of attack?
Some of the social media users expressed views about the method of attack. Some people suggested the attack was a DNS hijack but others suggested that it was more likely that the attack was conducted by a vulnerability in the content management system. The website was created with Joomla (a free website builder) and a number of the plug-ins were not updated so it is likely that a open source exploit was used to deface the website. It is possible also that the website admin just used weak login credentials that allowed the attackers access, or the hackers might have taken credentials through phishing emails, that is a tactic that the Iranian hacking groups are known to use frequently.
Unexpected social media response but Iranians are left with a smile
When news of the hack was first announced on social media there were some responses of alarm that were followed sometimes with the #WWIII hashtag. These were the first responses but they were quickly outnumbered in responses from users who did not know what the FDLP is. This question about what the FDLP is caused some users to laugh at the Iranian hackers for their choice of such a unknown target and some users tweeted with a false show of fear. This is not the reaction that the hackers would want but it is interesting that American users then questioned why they are paying millions of dollars of tax for the FDLP if only a small number of people know what it is. This was probably an unexpected result of the defacement and not a devious plan from the hackers to show wasteful government spending, although the hackers will be happy with this response and with their success to hack into a .gov website.
What will the real cyber response be?
The defacement was symbolic and did not achieve significant damage to the U.S. but their government will now be on alert for Iran’s next cyber act. It is likely that Americans are most afraid that Iran will attempt to attack U.S. infrastructure and industrial processes and a report from microsoft’s threat intelligence group in November 2019 indicated that at the least, one Iranian hacking group has started already to do this. The microsoft report stated that ATP 33 targeted Industrial Control Systems (ICS) the physical infrastructure used to operate and automate industrial processes, although the security researchers did not identify if the ultimate aim of this activity was information gathering or a disruptive cyber-attack or a destructive cyber-attack.
A more coordinated Iranian cyber response is expected to happen soon and we could find that the open hostility we see now means the attackers want to send a message to the U.S. and are no longer so concerned with hiding their identity. We should hope that this response sends a message of defiance but does not cause an escalation of cyber warfare that becomes out of control.