According to the report of Online Economy, quoted by Khabar Online, first of all, it should be noted that among the four mentioned banks, three banks were basically operating on the platform of “Iran Access” and did not have direct access to the public Internet. In the architecture of Iran Access, the bank’s operational systems are only available through the national information network and limited and controlled communication routes, and it is not possible to directly access these systems from the global Internet. Therefore, attributing the security incident to “Internet connection” in such circumstances is technically a serious doubt.
In the cyber security literature, breaking into a system is not necessarily done over the Internet. Many of today’s advanced attacks take place through supply chain attacks, infected equipment, manipulated hardware, backdoored software, or network equipment that has already been infected with malware. In such scenarios, the attacker may have established initial access to the target’s infrastructure months or even years before the main attack took place.
Based on the published technical evidence, the origin of the recent incident is more related to the presence of contaminated equipment or infrastructure components that entered the country in a certain period before the establishment of the current government, rather than the current state of the Internet connection. These types of attacks are usually known as “Advanced Persistent Threat – APT”; Attacks in which the attacker has a hidden presence in the victim’s infrastructure for a long time and makes an operational exploit at the right time.
From a technical point of view, cutting off the internet or limiting international access does not guarantee security either. Global experience shows that many major security incidents have occurred in completely isolated networks (Air-Gapped Networks). Its famous example was the Stuxnet malware, which entered the target network through infected equipment and media without the need for a direct Internet connection. Cyber security is therefore a function of the quality of security architecture, asset management, equipment upgrades, supply chain control, continuous monitoring and security operations centers (SOC) capabilities, not simply the presence or absence of Internet connectivity.
From an expert point of view, focusing on the Internet as the main cause of such incidents is an oversimplification of a complex security issue. Key questions should address the source of infected equipment, procurement and procurement processes, how to assess the security of imported equipment, possible weaknesses in the supply chain, and advanced threat detection and countermeasures.
Media streaming seems to be a way to clear the main questions that need to be answered.
The security of the country’s banking infrastructure requires adopting an approach based on “Zero Trust”, continuous audit of equipment, security assessment of the supply chain, intelligent monitoring of network traffic, and strengthening the ability to detect advanced threats. In such a framework, technical analyzes should be based on expert evidence and data and avoid the politicization of security events that can lead to the deviation of public opinion from the real roots of the threat.
As a result, attributing the recent banking incidents to Internet connectivity, when most of the affected systems basically did not have direct access to the Internet, is not consistent with the technical principles of network security. The available evidence further indicates the role of contaminated equipment or components in the supply chain and long-term and hidden infiltrations; An issue that requires specialized, fashionable and non-political investigation by the institutions responsible for the country’s cyber security.
