March 7, 2021

Volume XI, Number 66


March 05, 2021

Subscribe to Latest Legal News and Analysis

March 04, 2021

Subscribe to Latest Legal News and Analysis

Is Your Business Prepared For A Possible Iranian Retaliatory Cyberattack?

Current tensions between Iran and the United States, coupled with Iran’s history of retaliatory cyber activities, have prompted the U.S. government to issue warnings about the possibility of such cyberattacks.

On Jan. 2, 2020, the United States carried out a lethal strike in Iraq, killing a top Iranian general. In response, Iranian leadership and several affiliated violent extremist organizations stated their intent to retaliate against the U.S.

The Cybersecurity and Infrastructure Security Agency (CISA) recently issued an alert regarding the “Potential for Iranian Cyber Response to U.S. Military Strike in Baghdad,” recounts numerous prior actions by Iran through its Islamic Revolutionary Guard Corps (IRGC) against a variety of American industries, “including financial services, energy, government facilities, chemical, healthcare, critical manufacturing, communications, and the defense industrial base.” For example:

  • In late 2011 to mid-2013, Iranian actors performing work on behalf of the IRGC conducted website defacement and distributed denial of service (DDoS) attacks against the public-facing websites of U.S. banks, which prevented customers from accessing their accounts and cost the banks millions of dollars in remediation

  • In February 2014, the Sands Las Vegas Corporation was hacked and customer data was stolen, including credit card, Social Security and driver’s license numbers; the corporation’s computer systems also were wiped clean

  • In March 2018, the U.S. Department of Justice (DOJ) indicted nine Iranian actors for conducting a massive cyber theft campaign involving dozens of incidents involving hundreds of entities, including U.S. universities, domestic companies, the U.S. Department of Labor, the state of Hawaii, the state of Indiana, and more

The United States designated the IRGC as a Foreign Terrorist Organization on April 15, 2019, for its direct involvement in terrorist plotting. As a recent CISA bulletin discussing the terrorism threat to the U.S. notes, “Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” The bulletin further warns that an “attack in the homeland may come with little or no warning.”

Is your business prepared for a cyberattack? There are things you should consider doing to help prevent and prepare for such an incident.

  1. Increase Vigilance and Awareness: Ensure that business operations and information regarding possible threats are being carefully monitored. Assess whether there are new phishing exploits and follow best practices for restricting attachments via email.

  2. Incident Response Plan: If your business does not already have an incident response plan, one should be put in place as soon as possible. It is best practice to include protocols on how and when personnel should report an incident, so there is a playbook to follow in the event of an attack.

  3. Data Backups: A critical component to averting disaster in the event of an attack on your company’s data is to back up essential data offline regularly and appropriately. Make sure the backups are stored in an easily retrievable location and test your ability to revert to backups during an incident.

  4. Employ MFA: Implement multi-factor authentication (MFA) processes to help protect accounts.

  5. Password Strengthening: Require strong passwords with regular change intervals. Do not use the same password for multiple accounts. Do not use common names or sequences in passwords.

  6. Penetration Testing: If you have the capabilities internally, or through an experienced firm, attempt to breach the security of your business’ systems to identify vulnerabilities. Also ensure that regular scans of your systems are done.

  7. Vulnerability Patching: After you have tested your systems to assess potential vulnerabilities, any gaps in security should be patched immediately. In addition, consider an automated patch management program.

  8. Application Whitelisting: Only allow approved programs to run on your networks.

  9. Ports and Protocols: Continually monitor common ports and protocols for command and control activity. Review network security device logs regularly to determine whether to disable unnecessary ports and change protocols.

© 2020 BARNES & THORNBURG LLPNational Law Review, Volume X, Number 13



About this Author

Jason Bernstein Data Security & Privacy Attorney

A co-chair of the firm’s Data Security and Privacy practice, Jason Bernstein is a business adviser who helps clients develop, manage, protect and leverage their IP assets and valuable data. By offering real depth in a multitude of disciplines and industries, Jason is appreciated for his proven business acumen and creative problem-solving ability.

Inventions, innovations and information, particularly information security and privacy matters, are at the core of Jason’s practice. With more than three decades of experience, Jason advises on strategic planning for and the protection of...

Scott Godes, Barnes and Thornburg Law Firm, Washington DC, Communication Law Attorney

Scott N. Godes is a veteran trial lawyer with deep experience in insurance coverage matters and technology issues. He is a partner in Barnes & Thornburg LLP’s Washington, D.C., office and is a member of the Litigation Department and the Policyholder Insurance Recovery and Counseling Group.

Todd Vare IP lawyer Barnes Thornburg

Todd G. Vare is a partner resident in the Indianapolis office of Barnes & Thornburg LLP. Mr. Vare represents clients in the protection and enforcement of intellectual property rights in trial and appellate courts around the country, and was listed in the 2012 edition of Best Lawyers in America.

Mr. Vare has litigated patent disputes covering a wide variety of technologies, including herbicides/pesticides, dielectric fluids, genetics, pharmaceuticals, medical devices, telecommunications, microprocessor and integrated circuit designs, software programs...

Brian J. McGinnis, Barnes Thornburg Law Firm, Indianapolis, Intellectual Property Law Attorney

Brian J. McGinnis is an attorney with Barnes & Thornburg LLP where he is a member of the firm's Intellectual Property Department and the Internet and Technology and the Data Security and Privacy practice groups. He is resident in the firm’s Indianapolis office.

Brian's practice is focused at the intersection of the law and technology. He has developed a national practice advising clients ranging from multinational corporations to startups on the broad range of legal matters pertaining to technology, intellectual property protection and...