When I published my research “Cybercrime in the Middle East” about 5 years ago, I predicted that our region will be in big trouble sooner or later. My public speaking at national and international conferences related to this phenomenon didn’t get much attention especially at government levels. But I think they need to change their mind this time!
Last week Saudi Aramco confirmed disruption to their network and explained in a statement on its facebook page that this attack occurred due to virus infection. Saudi Aramco is one of the largest energy and Oil Companies in the world and I’m wondering how big companies like Aramco don’t have some kind of strict security policies in place. The company’s facebook page is public page with “Likes” from Aramco insiders. And I was shocked from their comments that revealed their identity, their work, position, responsibilities and even how the attack affected their machines. This is a very simple mistake that could lead to serious breaches as attacking human is easier than attacking systems..!
A PASTEBIN statement posted on August 15, signed by a group called the “Cutting Sword of Justice”, claimed the group had launched the attack to destroy 30,000 computers at Saudi Aramco. It said the company was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries including Syria and Bahrain.
Saudi Arabia sent troops into Bahrain last year to back the tiny state’s Sunni Muslim rulers against Shiite-led protesters and Riyadh is supporting Sunni rebels against the Syrian regime of President Bashar al-Assad.
Media started to publish that “Iran” might be behind this attack…!
The problem with this situation is the political propaganda and how each party will use it. In response to these speculations and according to Arabic media sources, Aramco has managed to fire several Saudi and Lebanese employees with Shiite background. The hacking group later announced in separate PASTEBIN post that they will launch new attack on Aramco.
How they attacked Aramco network?
Although investigations not yet finished, one can use publicly available information to find approximate answer. On August 16, Symantec announced the discovery of a new malware called “W32.Disttrack” or “Shamoon”. The malware infects a PC, steals certain data, send the data to another infected PC inside the compromised network and then overwrites the PC’s MBR (Master Boot Record), which makes the system useless.
The way this malware works might be linked to the Wiper malware which infected Iranian oil terminals in April. The Wiper malware is also considered new variant of Flame as the investigation of the Wiper led to the discovery of Flame, according to Kaspersky Lab.
Kaspersky also published new analysis of how Shamoon is coded to work in 3 modes:
- As a typical program in a 32-bit OS
- Runs in a 64-bit OS
- Runs as a service in a 32-bit OS
Technically speaking, this malware might be planted with physical access to a machine that is connected to Aramco network then propagation started. The infected machine could not be inside the company but it might be connected using remote access from any other place. In this case Aramco will need to conduct thorough investigation to find out from where this malware entered the network not just cleaning and recovering from attack. I don’t know much information about how Aramco implements its security policies and if the company depends on contractors or third-parties to perform certain tasks inside the company. But in most cases this type of attack which targets closed networks needs an insider activity to start the infection with even small USB stick as they did with Stuxnet.
Why Iran?
I mentioned in a previous post that Iran is the most capable nation in the Middle East when it comes to cyber attacks. They can benefit from these types of malware that hit their systems such as “Stuxnet, Wiper, Flame, Gauss, Duqu” and try to reverse-engineer and re-use them to attack others. Iran has its own Cyber Unit which deals with cyber attacks and Cyber conflicts in addition to its capability in the field of hacking and state-sponsored cyber attacks in cooperation with other nations such as “Russia and China”.
They cooperated before to reverse-engineer the captured US done; therefore it might be true that Iran could be involved in Aramco attack. While it is not technically easy to identify the identity of the attacker and even the exact origin of the attack, reading the story from political point of view could give answers to what’s happening in the Middle East.
If we believe that we are living now the age of cold Cyberwar, we will understand that cyber espionage, cyber intelligence, cyber weapons, and state-sponsored attacks are normal phenomena. USA, Israel, Europe, China, Iran and Russia are major players in this dangerous game and they treat Middle East region as a crucial battlefield in their new cold war.
The question remains: Are we ready for the 21st century threats?
“Bad times have a scientific value. These are occasions a good learner would not miss.”
Ralph Waldo Emerson