Iran may follow up its ballistic-missile response to the killing of Qassim Suleimani with more subtle, less attributable attacks, according to the latest conventional wisdom. A principal weapon may be cyberattacks, and many experts advise us to prepare for them. But will this affect our organizations?
Are nonprofits, foundations and NGOs strategic targets? My reading of the experts comes up with a “probably not, but maybe…”
To start off, Iran neither has the capacity nor the motivation to launch major destruction that would take lives in the United States. As Director Samuel S. Visner of the National Cybersecurity Federally Funded Research and Development Center (FFRDC) — managed by nonprofit MITRE, in support of the NIST National Cybersecurity Center of Excellence — said, causing significant loss of life, along with crippling infrastructure, would be tantamount to acts of war.
“Whatever Iran does,” said Visner, “they don’t want this to be out of control. They are careful. Even if they appear provocative, they are not idiots.”
A Record of Cyber Attacks
On the other hand, Iran has a long record of more modest cyber aggression. Among other activities, it has targeted the U.S. financial sector with Distributed Denial of Service (DDOS) attacks. It has stolen data and wiped computers at the Sands Las Vegas Corporation owned by Sheldon Adelson. It also gained unauthorized access to the control and data acquisition systems of the Bowman Dam in Rye, New York.
Various Iranian groups have also attacked national newspapers, government ministries and academia with “watering hole” attacks, where malware is left for visitors. Other groups have targeted the oil, telecoms and travel industries.
Interestingly, Microsoft reported in July 2019 that it had detected almost 800 cyberattacks over the previous year targeting think tanks, NGOs, and other political organizations around the world. Most attacks originated in Iran, North Korea, and Russia.
Except for the attacks on universities and the ones mentioned by Microsoft, however, nonprofits and foundations are not considered to be as likely targets as the other industries mentioned. In most cases, threats to nonprofits aren’t mentioned at all.
So What’s the Risk?
CERT and others have issued alerts to organizations in general. Included are recommended actions to prepare for the types of attacks that can be expected, both from CERT and here .
As FFRDC Director Visner put it, “Use this as an opportunity to stimulate your organization to get its act together and not allow itself to be vulnerable to organizations with sophisticated, and even unsophisticated, cyber exploits.”