The New York State Department of Financial Services ("NYDFS") urged regulated financial institutions to prepare for cyberattacks originating from the Iranian government.

Noting Iran's vow to retaliate against the United States for the death of Qassem Soleimani, the NYDFS stated there is "a heightened risk of cyber attacks from hackers affiliated with the Iranian government." The NYDFS also noted a U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency advisory issued in June 2019 warning of a rise in malicious Iranian cyber activity.

According to the NYDFS, typical Iranian-sponsored hacking tactics include (i) email phishing, (ii) credential stuffing, (iii) password spraying and (iv) the targeting of unpatched devices. The NYDFS "strongly recommend[ed]" that financial institutions prepare for such tactics by:

  • addressing all vulnerabilities, especially any publicly disclosed vulnerabilities;

  • ensuring that employees know how to respond to phishing attacks;

  • fully implementing multifactor authentication;

  • reviewing and updating disaster recovery plans;

  • quickly responding to any further alerts; and

  • ensuring that any alerts or incidents - particularly those occurring after regular business hours - are quickly addressed.

In the event of a cyberattack, the NYDFS urged financial institutions to report the incident within 72 hours.

Commentary

While the threat of serious state-sponsored cyberattacks should always be a concern to financial institutions, the specific threat from Iran is now even more pronounced due to fears of retaliation for the recent killing of Qassem Soleimani by American military forces. Firms should take the NYDFS alert to heart going forward, and take enhanced steps to guard against ransomware, spear-phishing, and others forms of attacks aimed at deleting data and disrupting operations. Victims who would otherwise hesitate to involve the FBI, DHS, or other law enforcement in responding to a cyberattack may want to reconsider that position and have contacts at the ready in the event the worst takes place. It is also an opportunity to consider policies for sharing threat information among colleague firms with similar threat profiles. While it remains unlikely Iran has the capabilities of Russia or China to truly debilitate the U.S. financial sector and other critical infrastructure, its cyber offensive resources are nonetheless considerable and attacks have the potential to be extremely destructive.