As US issues warning to Iran, its cyberwar with Saudi Arabia takes on new meaning
WASHINGTON – For anyone wondering what cyber warfare might look like, the conflict between Iran and Saudi Arabia provides an ongoing example.
Since 2012, the two nations have been lobbing digital artillery fire at each other in a simmering conflict that began when Iranian hackers destroyed more than 30,000 computers of the Saudi crown jewel, Aramco, the world’s biggest energy company. Since then, and as recently as last week, new cyberattacks have unfolded.
Just eight days ago, Saudi Arabia issued a cyber defense alert, the equivalent of an air raid siren in a more conventional conflict.
“This is an urgent call for your cybersecurity team to be on alert for Shamoon 2 and ransomware attacks that could possibly cripple your organization’s systems,” the nation’s Computer Emergency Response Team told domestic network systems operators, referring to Iranian-created malicious code.
As the Trump administration casts about for a cybersecurity policy, the byte battle between Iran and Saudi Arabia may well be a harbinger for conflicts to come.
It bears even closer watching following a statement Wednesday from President Donald Trump’s national security adviser, Michael Flynn, in which he listed recent “provocative” actions by Iran and said, “We are officially putting Iran on notice.”
As US hostilities with Iran rise, its offensive cyber capabilities will become evermore pertinent to the US government.
“Places like the (Persian) Gulf serve as canaries for the rest of the world,” said John Hultquist, who does cyber espionage analysis for FireEye iSight, a threat intelligence firm. “If you really want to learn about what an adversary is capable of before they become a problem, you look at places like the Gulf.”
Iranian capabilities are far below those of the world’s first-tier offensive cyber powers: the United States, Russia, China and Israel. But its expansive program of state hacking puts the nation definitely in the second tier, and its capabilities are improving, experts say.
“They are investing a lot of money. They won’t stay behind for long,” said Gabi Siboni, a colonel in the Israel Defense Forces reserves and director of the cyber warfare program at the Institute for National Security Studies in Tel Aviv.
Iranian hackers lack technical savvy, experts said, but their digital weapons work.
“I’ve seen the ugliest, sloppiest code do the most effective job,” said Dewan Chowdhury, founder and chief executive of Mal-crawler, a company that helps detect and destroy malware that targets electrical grids and other infrastructure. Chowdhury has studied Iran’s capabilities.
For its part, Saudi Arabia largely hires foreign companies to manage its cyber defenses and likely carry out offensive retaliations. But it is not clear who may be responsible for some of the attacks on Iran; Israel and the United States have targeted it before.
A series of fires at petrochemical facilities and a serious gas-pipeline explosion hit Iran between July 29 and Sept. 14 last year. Brig. Gen. Gholam Reza Jalali, who heads an Iranian military unit in charge of combating sabotage, acknowledged that “viruses had contaminated petrochemical complexes,” according to the state-run IRNA news agency. The hackers left no calling cards. Iran’s drive to develop an offensive cyber program grew out of the crushing attacks it suffered when a computer virus dubbed Stuxnet shattered thousands of centrifuges and sabotaged its nuclear program. The virus was discovered in 2010.
“They have seen firsthand what a devastating cyberattack can do,” Siboni said.
US and Israeli cyber agencies are believed to have designed the Stuxnet digital bomb, although neither nation has admitted its role publicly.
Following the Stuxnet attacks, Iran turned its sights on Saudi Arabia, a regional rival across the Persian Gulf. The two have been engaged in conventional proxy wars in Syria and Yemen.
The Iranian attack on Saudi Arabia on Aug. 15, 2012, was the most destructive act of computer sabotage ever inflicted on a corporation. An Iranian group calling itself Cutting Sword of Justice erased data on tens of thousands of Aramco computers and left an image of a burning U.S. flag on the screens. It also prevented the computers from rebooting, rendering them useless.
“The damage was a little over 85% of their entire corporate network,” said Christina M. Kubecka, a digital crime investigator and trainer who worked for Aramco Overseas Co. handling network security from 2013 until 2015. “It was absolutely devastating.”
The virus was later dubbed Shamoon or Disttrack.
Iranian hackers also are believed to have conducted elaborate attacks on at least 1,600 key scientists, journalists and security officials in Israel, trying to get them to click on malicious links in email, a tactic commonly called spearphishing.
Iranian state hacker groups go to elaborate subterfuges, creating online fictitious personas to make the attempts seem legitimate. An Israeli scientist even received a phone call purporting to be from a BBC documentarian in an attempt to get her to open an attachment in a tainted email, Siboni said.
“Their social engineering is really one of their fortes,” said Hultquist of iSight.
Some 10 months ago, US prosecutors indicted seven men linked to the Iranian Revolutionary Guard Corps, a branch of the military, on charges of launching cyberattacks on New York banks and attempting to seize control of a small dam in Rye, New York. None of the attacks was successful.
Turning their sights back to Saudi Arabia, Iranian hackers conducted multiple attacks in November, wiping data from the Saudi authority that oversees the nation’s airports, hitting the Transportation Ministry, attacking the central bank and striking several other targets.
Cyber forensics experts labeled the new malware Shamoon 2.0, saying it was a variant of the bug used in 2012. Some said Iranian hackers had deployed a less destructive version, perhaps with the motive of rattling the Saudis.
“It shakes up the psyche of the population,” said Kubecka, the former Aramco network expert. She predicted that the skirmishes may increase. “It will probably escalate.”
“They absolutely have destructive cyber capabilities that they are not using, and that’s by choice. That’s them showing either restraint or self-preservation,” said Jon Miller, chief research officer at Cylance, an Irvine, California, company that develops anti-virus programs and defenses. “They want people to know that they have the capabilities.”
“The car analogy for it would be, you know, just because you have a Ferrari doesn’t mean that every time you get on the road you go from point A to point B at 200 mph,” Miller said.
The latest salvos came on Jan. 23. Hackers took over the Saudi Labor Ministry website and attacked the network of Sadara Chemical, a joint venture between the state oil giant Aramco and Dow Chemical.
Saudi cyber capabilities are far below those of Iran. But it has resources to hire the best hackers in the world, and some expect new retaliation.
“What I’d look for next is a Saudi Arabian counterattack,” said Dave Aitel, an offensive cybersecurity expert who is chief executive of Immunity Inc., a Miami Beach, Fla., security technology firm. “When you have all the money in the world, then these things are very possible.” – TNS