Cyber Incident Victim: Tivit
Date:
Dec 2018
Location:
Iran
Summary
A global cyber attack targeted multiple countries, including Iran, exploiting a vulnerability in Cisco routers that had available patches uninstalled during a national holiday. Attackers displayed a U.S. flag and a "Don’t mess with our elections" message on compromised devices, disrupting internet services for subscribers and affecting approximately 200,000 router switches worldwide, with 3,500 impacted domestically. The incident primarily disrupted internet service providers, causing temporary access outages, but was neutralized within hours without data loss. Iranian authorities acknowledged weaknesses in their response coordination while noting the attack's broader impact on devices in the United States, China, and Europe.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On December 14, 2018, a global cyber attack disrupted networks across multiple countries, including Iran, the United States, China, India, and Europe. The incident exploited a known vulnerability in Cisco router switches, specifically targeting the Smart Install protocol, which Cisco had previously warned about and provided patches for. Attackers compromised approximately 200,000 router switches worldwide, with Iran reporting 3,500 affected devices—representing 2% of the global total. The attack caused internet service providers to experience outages, cutting off web access for subscribers. In Iran, the intrusion was detected late on Friday, with hackers displaying an image of a U.S. flag accompanied by the message “Don’t mess with our elections” on compromised screens. Iranian authorities attributed the breach to unpatched systems, noting that some organizations had failed to install Cisco’s security updates during the Iranian New Year holiday period. Cisco’s Talos Security Intelligence team had publicly addressed the Smart Install protocol risks days before the attack, urging customers to remediate vulnerabilities affecting critical infrastructure.
Iran’s Communication and Information Technology Ministry confirmed the attack’s scope through an official statement carried by state news agency IRNA. IT Minister Mohammad Javad Azari-Jahromi shared photographic evidence of the hackers’ U.S. flag imagery via Twitter but stated the perpetrators’ identity remained unverified. He reported disproportionate impacts in other regions, including 55,000 compromised devices in the United States and 14,000 in China. Iran’s state computer emergency response team, MAHER, faced criticism for delayed communication with affected companies during the incident. Hadi Sajadi, deputy head of Iran’s Information Technology Organisation, asserted that technical teams neutralized the attack within hours, preventing data loss. Service disruptions were confined to temporary internet access outages for subscribers, with no reported long-term infrastructure damage or additional compromises beyond the initial router manipulation. Cisco reiterated its security advisories as a defensive measure following the attack, emphasizing available remediation protocols for vulnerable systems.