Written by Sean Lyngaas

The FBI has told U.S. companies that Iranian hackers have stepped up their probing and reconnaissance activity in the days since the U.S. military killed Iranian Maj. Gen. Qassem Soleimani.

In an advisory to industry this week obtained by CyberScoop, the FBI warned that Iranian hackers could target cleared defense contractors, government agencies, academia and nongovernmental organizations focused on Iran issues.

The FBI assesses that Iranian hackers could use “a range of computer network operations against U.S.-based networks in retaliation for last week’s strikes against Iranian military leadership,” says the memo, which is labeled “TLP White,” meaning its recipients can distribute it liberally.

The Jan. 9 alert did not elaborate on the nature of the increased Iranian “cyber reconnaissance activity” that the FBI says has occurred since Soleimani’s killing, nor did it mention any Iranian breaches of networks as part of that activity.

FBI alert follows others

The FBI joins a chorus of U.S. officials and private-sector experts warning of Iran’s ability to retaliate in cyberspace for the Jan. 3 killing of Soleimani, who led Iran’s elite Quds Force. Earlier this week, the Department of Homeland Security released a public advisory urging organizations to consider whether they make an attractive target for Tehran’s hackers and to be wary of the threat of data-wiping hacks. U.S. officials and corporate executives say they are remaining vigilant in the face of the threat.

In its advisory, the FBI also appeared to debunk a fallacy spreading in some news coverage of Iranian activity: that web-scanning from an Iranian IP address is somehow inherently a hacking attempt.

“Malicious activity and reconnaissance may not necessarily occur from Iranian Internet Protocol space, as actors may utilize midpoint infrastructure in other countries,” the FBI advisory says. “As such, traffic from Iranian IP addresses may not be indicative of malicious activity.”

VPN exploits

The memo includes technical advice on Iranian hackers’ affinity for exploiting vulnerabilities in virtual private network applications. The Iranians have previously tried to exploit two VPN vulnerabilities, including a well-known flaw in a Pulse Secure application, to try to gain a foothold into networks, according to the FBI.

“The FBI assesses this targeting, which has occurred since late 2019, is broadly scoped and has affected numerous sectors in the United States and other countries,” the advisory says.

On Friday, DHS’s Cybersecurity and Infrastructure Security Agency issued a renewed warning about the Pulse Secure vulnerability and said it expects attacks exploiting the flaw to continue. That advisory was general in nature and did not mention Iran.

One example of the risk of that type of VPN exploitation took place late last month, when suspected Iranian hackers executed data-wiping malware on an unnamed Middle Eastern organization’s network, according to Saudi Arabia’s National Cybersecurity Authority. The attackers spent months on the network after apparently breaking in through a VPN flaw.

The FBI did not respond to a request for comment on the advisory.