The hackers behind a “cyber attack” which hit Iranian data centres have left a message with an American flag and the warning: “Don’t mess with our elections.”
Iran’s IT minister, Mohammad Javad Azari-Jahromi, said on Friday: “Several Iranian data centres came under cyber attacks tonight. Some of the smaller routers have been changed to factory setting.”
It is not known if any damage occurred other than the defacing which the minister photographed from the Command-Line Interface of a Cisco networking switch.
The routers – which are used to network much of Iran’s critical infrastructure – were hacked when the attackers exploited a vulnerability in Cisco’s Smart Install client.
Mr Azari-Jahromi tweeted that the country held an emergency meeting as a result of the attack – although Twitter is not generally accessible to the Iranian public.
He said that the core of Iran’s National Information Network was not affected. He added that the attack revealed weaknesses in the country’s cyber-security defences.
Cisco had warned the day prior that “specific advanced actors” were targeting its networking switches which were vulnerable to hackers because of an issue in the Smart Install client.
It is unlikely that a lone vigilante hacker would be described as a “specific advanced actor”.
“Several incidents in multiple countries, including some specifically targeting critical infrastructure, have involved the misuse of the Smart Install protocol,” it stated.
On the same day, the UK’s National Cyber Security Centre warned that hackers were targeting companies connected to British critical national infrastructure.
Security sources told Sky News that the NCSC advisory was not related to the activity which Cisco had warned about.
An NCSC spokesperson said: “We are aware of a vulnerability affecting some Cisco devices. There is no evidence of any impact to the UK but we will continue to work with the company and actively monitor the situation.”
Cybersecurity researchers have identified the actors behind these campaigns as being based in eastern Europe, however the hackers who hit the Iranian data centres identified themselves with the American flag.
Sky News emailed the address included in the defacement, and the person(s) in control of that address (JHT) told us “Yes, I am an American” although they did not provide proof.
The email address was registered with Tutanota, a secure webmail messaging service based in Germany – although it could be used be anybody anywhere in the world.
According to the Iranian minister, the attack also affected a number of Cisco routers based in the US as well as China.
JHT told Sky News: “There were 55k vuln[erable Cisco switches] in the US, but were attempted to patch all of those, US systems were never attacked.”
“The intention and cause behind this attack is quite clear, I shouldn’t need to explain that,” they added – although there has been no public allegation that Iran attempted to interfere in the US presidential election.
Asked if they anticipated carrying out further activities, the attacker told us: “Not at this time.”
They did not respond when Sky News asked what election interference they believed Iran to be responsible for.
Despite the ASCII flag in the Command-Line Interface image, Iran has not attributed the attack to the US.
In a statement, Cisco told Sky News: “Cisco recently published blogs and a security response page alerting our customers about the need to ensure their network switches are properly protected against abuse of the Smart Install feature.
“Cisco has learned of a public posting that details potential abuse of this feature and has received reports of attacks when Smart Install was left enabled. As such, we’ve shared additional guidance that informs customers how to assess and protect their network.”