feeding my own misguided insanity

Cyberwarfare and Hacktivism in the Middle East

November 15, 2012 Shem Radzikowski One Comment

Multi-billion dollar Oil & Gas companies are being targeted by a new generation of intelligent and destructive computer viruses that are capable of collecting sensitive information and are capable of destroying entire computer ecosystems.

On August 15, Saudi Aramco, the world’s largest Oil & Gas producer based in Saudi Arabia, admitted that it was targeted by a group of hackers which managed to infect some 30,000 personal computers and possibly stole proprietary information.

Who’s Behind the Attacks

There are mixed reports of whether the group behind the cyber-attack is the Arab Youth Group or the Cutting Sward of Justice, both of which have been linked to regional activist organizations. Reports are still sketchy and although Saudi Aramco CEO, Khalid A. Al-Falih, said that the company reacted quickly to isolate and contain the infection, it is still unclear how much damage was sustained or what data was stolen.

Shamoon, the malware (malicious software) responsible for the attack on the organization, represents what some would call the first widely publicized example of hacktivism. Hacker groups such as Anonymous[1] and LulzSec[2] have typically targeted known Web application vulnerabilities or used distributed-denial-of-service (DDoS) attacks. “This is the first significant use of malware in a hacktivist attack,” said Imperva’s Rob Rachwald, director of security strategy.

Interestingly, instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the Master-Boot Record of the computers — rendering them useless.

Despite the fact that it is rare to find this type of malware in targeted attacks, Kaspersky Lab suggest that this is the same behavior of the wipe malware found attacking machines in Iran which were infected with another unknown malware that eventually led Kaspersky to discover the Flame virus.

The origin of Shamoon or Flame can’t be verified, but on 16th June 2012 the Washington Post reported that the “United States and Israel jointly developed a sophisticated computer virus nicknamed Flame that collected intelligence in preparation for cyber-sabotage aimed at slowing Iran’s ability to develop a nuclear weapon, according to Western officials with knowledge of the effort.”

Background on Shamoon

The malware infection that crippled the computer systems of Saudi Aramco was dubbed “Shamoon” (Simon in Arabic) after researchers found a reference to a folder by the same name within the malware executable. Although Saudi Aramco stated that the virus did not disrupt any computer systems responsible for oil and gas production, the incident did send a sobering security shock wave throughout the energy sector.

Details of the cyberattack seem to confirm that 75% of the company’s workstations were infected, critical data files deleted and replaced with the image of a burning American flag.

The hackers, who called themselves Cutting Sword of Justice, said that they had released a malicious virus into Saudi Aramco on Aug. 15 that destroyed around 30,000 computers.

To corroborate the hack, the group uploaded onto Pastebin[3] (a website that allows free and anonymous exchange of information) blocks of what they claimed to be the internal IPs (unique addresses) of the infected computers. The attack against the government-owned oil company is said to be in retribution for the Saudi government’s support for “oppressive measures” in the Middle East.

Many analysts believed that the momentum created by the Arab Spring would in some part spill over into Saudi Arabia. Some suggest that the country has one of the most repressive regimes in the Arab world. So much so, that Amnesty International released a report titled “Saudi Arabia: Repression in the Name of Security” in which it revealed that hundreds of people have been arrested for demonstrating, while the government drafted an anti-terror law that would effectively criminalize dissent as a “terrorist crime” and further strip away rights from anyone accused of such offenses.

Saudi Women protesting in the city of Karbala

Recent protests in the country’s eastern province, home to a large Shiite minority and holding 90% of the country’s oil reserves, indicate that despite harsh efforts to quell demonstrations people are still flocking to the streets.

Given the relative hostility of the ruling government, it isn’t at all surprising that the so-called hacktivists (hackers who attack for political reasons rather than profit) have begun branching out into more sophisticated ways of making a statement.

Whether the origin of Shamoon or Flame will ever be identified, isn’t really important. However, evidence suggests that whoever is behind Shamoon, either reverse-engineered some of Flame’s behavior or had direct access to the original source code.

Similar Cyber-attacks

Just two weeks after the Saudi Aramco malware attack, the Doha-based RasGas Company Limited, a joint venture between Qatar Petroleum[4] and ExxonMobil, was hit by a similar virus. A press release of the incident confirmed that “the company’s office computer systems were affected by an unknown virus on Monday, 27th August 2012 Key impact remains in the administrative IT system; Operational Systems on site and offshore are secure. The production and supply of Liquefied Natural Gas (LNG), pipeline gas and associated products are uninterrupted.”

Malware is much more pervasive in the Middle East than in other regions of the globe. The fact that Saudi Aramco go hit by something like Shamoon shouldn’t be a big surprise, particularly given the number of infected systems in the region.

Threat Categories: Worldwide vs Saudi Arabia Source: Microsoft SIR v12

But Saudi Aramco and RasGas weren’t the only organizations to be targeted by hacktivists in the Middle East. In September, the websites of the Arabic news network, Al-Jazeera[5], were hacked by a group sympathetic to the Syrian regime. Al-Jazeera’s English and Arabic websites were affected by the hack, made by a group calling itself al-Rashedon, or “the guided ones”.

“This is a response to your position against the people and government of Syria, especially your support of the armed terrorist groups and spreading false fabricated news,” the group said in a statement blanketing aljazeera.net. “Your website has been hacked, and this is our response to you.”

The Qatari state-owned Al-Jazeera has made a name for itself by covering the region’s instability. But it has also been accused of bias and inconsistency. A number of staff resigned from Al-Jazeera accusing it of being biased towards the Syrian regime but supportive of Bahrain, Qatar’s neighbor.

In September 2011, Wadah Khanfar, a Palestinian widely seen as independent, suddenly left as director-general after eight years in the post and was replaced by a member of the royal family, Sheikh Ahmed bin Jassim al-Thani, a man with no background in journalism.

Almost a year later, on 30 September 2012 the network’s editorial independence was again called into question after its director of news ordered that a speech made by Qatar’s emir to the UN in relation to the debate on Syrian intervention be re-edited despite strong protests by the reporting journalists. Some observers are now suggesting that the once self-proclaimed “independent” Arabic news network is quickly becoming nothing more than an instrument to further Qatar’s foreign policy within the region.

Although the hack on Al-Jazeera was different to those against RasGas and Saudi Aramco, they were all executed with the intention of conveying a politically motivated message.

The sophistication of the malware is increasing to such levels that some experts believe that only groups with considerable resources and expertise would be in a position to create such viruses and that state-run cyberwarfare organizations are behind their development.

Malware heat map. Source: Microsoft Security Intelligence Report vol. 12

Similarities have been highlighted by Kaspersky Lab and Seculert between Shamoon and Flame, the cyber espionage virus that targeted computers in the Middle East. Shamoon has been noted as unique for having differing behaviour from other malware cyber espionage attacks and is capable of spreading to other computers on the network through exploitation of shared hard drives. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, erase and then send information about these files back to the attacker. Finally, the virus will overwrite the master boot record of the system to prevent it from booting and covering its tracks.

The Usual Suspects: Cyberwarfare

Various groups have come forward claiming responsibility for the attacks but the question still remains: who is responsible for the development of the new generation of malware?

On 1st June 2012, the New York Times reported that “President Obama secretly ordered increasingly sophisticated attacks on the computer systems that run Iran’s main nuclear enrichment facilities, significantly expanding America’s first sustained use of cyberweapons.” The computer security experts who began studying the worm that infected Iran’s nuclear enrichment facilities eventually gave it a name: Stuxnet.

Kaspersky Lab concluded that the sophisticated attack could only have been conducted “with nation-state support.” Proving which nation-state was responsible for Stuxnet will be difficult, but in light of the cyberweapons program which was started under President George W. Bush and then expanded under President Barack Obama, it has been suggested that Israel and the United States may have had direct involvement.

Shortly after Stuxnet’s discovery within Iran’s facilities, security researchers discovered another cyber-espionage worm on computers in Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt. A researcher from the Budapest University of Technology and Economics said that it

“is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”

Security researchers named the worm “Flame”.

Flame can spread to other systems over a local network (LAN) or via USB stick. It can record audio, screenshots, keyboard activity and network traffic. The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices. This data, along with locally stored documents, is sent on to one of several command and control (C&C) servers that are scattered around the world. The program then awaits further instructions from these servers.

Although Flame was discovered in May 2012, computer forensic experts have compiled evidence that suggest Flame may have persisted undetected on infected computers since at least February 2010.

Whether Shamoon, Stuxnet or Flame had state backing or were in some way sanctioned by nation-states will require further research. The irrefutable fact, however, is that this type of malware is being utilized by politically-motivated organizations and demonstrates that the technology is available to anyone with the right connections and an underlying motive to use it.

If organizations are to stand a fighting chance against this new generation of malware, then they need to invest in a cultural change as much as they do in technical safeguards.

[Title photo credit: Lord Jim / Foter / CC BY]

Footnotes
  1. Anonymous (used as a mass noun) is a loosely associated hacktivist group. It originated in 2003 on the imageboard 4chan, representing the concept of many online and offline community users simultaneously existing as an anarchic, digitized global brain.[4] It is also generally considered to be a blanket term for members of certain Internet subcultures, a way to refer to the actions of people in an environment where their actual identities are not known. ^
  2. Lulz Security, commonly abbreviated as LulzSec, is a computer hacker group that claimed responsibility for several high profile attacks, including the compromise of user accounts from Sony Pictures in 2011. ^
  3. A pastebin is a type of web application where it is possible to store text for a certain period of time. This type of website is used by some programmers to store pieces of source code or configuration information, but can also be used by anyone to share any type of text. ^
  4. Qatar Petroleum (QP) is a state owned petroleum company in Qatar. The company operates all oil and gas activities in Qatar, including exploration, production, refining, transport, and storage. Together, revenues from oil and natural gas amount to 60% of the country’s GDP. Currently it is the third largest oil company in the world by oil and gas reserves. ^
  5. Al Jazeera, literally “The Island”, is an independent broadcaster owned by the state of Qatar through the Qatar Media Corporation and headquartered in Doha, Qatar. Initially launched as an Arabic news and current affairs satellite TV channel, Al Jazeera has since expanded into a network with several outlets, including the Internet and specialty TV channels in multiple languages. ^

References

AIUK: Saudi Arabia: new wave of repression sweeps through kingdom – new report. (n.d.). Retrieved October 7, 2012, from http://amnesty.org.uk/news_details.asp?NewsID=19838
Al Jazeera Website Hacked By Syria’s Assad Loyalists. (2012, September 4).Huffington Post. Retrieved October 5, 2012, from http://www.huffingtonpost.com/2012/09/04/al-jazeera-website-hacked-syria-assad_n_1855178.html
Al-Jazeera Gets the Crap Hacked Out of It (Updated). (n.d.).Gizmodo. Retrieved October 5, 2012, from http://gizmodo.com/5940345/al+jazeera-gets-the-crap-hacked-out-of-it
Al-Jazeera website hacked again. (2012, September 5).BBC. Retrieved from http://www.bbc.co.uk/news/technology-19488739
Al-Jazeera websites hacked by Assad loyalist group. (2012, September 4).the Guardian. Retrieved October 5, 2012, from http://www.guardian.co.uk/media/2012/sep/04/al-jazeera-website-hacked
Al-Jazeera’s political independence questioned amid Qatar intervention. (2012, September 30).the Guardian. Retrieved October 7, 2012, from http://www.guardian.co.uk/media/2012/sep/30/al-jazeera-independence-questioned-qatar
Among Digital Crumbs from Saudi Aramco Cyberattack, Image of Burning U.S. Flag. (n.d.).Bits Blog. Retrieved October 6, 2012, from http://bits.blogs.nytimes.com/2012/08/24/among-digital-crumbs-from-saudi-aramco-cyberattack-image-of-burning-u-s-flag/
BBC. (n.d.). Second energy firm hit by virus. BBC News. Retrieved October 7, 2012, from http://www.bbc.co.uk/news/technology-19434920
Computer worm that hit Iran oil terminals “is most complex yet.” (2012, May 28).the Guardian. Retrieved October 6, 2012, from http://www.guardian.co.uk/world/2012/may/28/computer-worm-iran-oil-w32flamer
Connecting the Dots After Cyberattack on Saudi Aramco. (n.d.).Bits Blog. Retrieved October 6, 2012, from http://bits.blogs.nytimes.com/2012/08/27/connecting-the-dots-after-cyberattack-on-saudi-aramco/
Cyberwarfare. (2012, October 3).Wikipedia, the free encyclopedia. Retrieved from http://en.wikipedia.org/w/index.php?title=Cyberwarfare&oldid=515810645
Erdbrink, T. (2012a, April 23). Iranian Oil Sites Go Offline Amid Cyberattack. The New York Times. Retrieved from http://www.nytimes.com/2012/04/24/world/middleeast/iranian-oil-sites-go-offline-amid-cyberattack.html
Erdbrink, T. (2012b, May 29). Iran Confirms Attack by a Virus That Steals Data. The New York Times. Retrieved from http://www.nytimes.com/2012/05/30/world/middleeast/iran-confirms-cyber-attack-by-new-virus-called-flame.html
Flame (malware). (2012, October 4).Wikipedia, the free encyclopedia. Retrieved from http://en.wikipedia.org/w/index.php?title=Flame_(malware)&oldid=511812270
Flame fallout: Microsoft encryption deadline looms Tuesday. (2012, October 4).CSO. Retrieved October 6, 2012, from http://www.networkworld.com/news/2012/100412-microsoft-encryption-263081.html
Hack on Saudi Aramco hit 30,000 workstations, oil firm admits – The Register. (n.d.). Retrieved October 1, 2012, from http://www.theregister.co.uk/2012/08/29/saudi_aramco_malware_attack_analysis/
Hackers Lay Claim to Saudi Aramco Cyberattack. (n.d.).Bits Blog. Retrieved October 1, 2012, from http://bits.blogs.nytimes.com/2012/08/23/hackers-lay-claim-to-saudi-aramco-cyberattack/
Hackers repeatedly broke into Saudi Aramco. (n.d.). Retrieved October 6, 2012, from http://www.naked-security.com/news/234141.htm
How a Secret Cyberwar Program Worked. (n.d.). Retrieved October 6, 2012, from http://www.nytimes.com/interactive/2012/06/01/world/middleeast/how-a-secret-cyberwar-program-worked.html?ref=middleeast
Iran’s cyberattack claims difficult to judge, experts say. (2012, October 5).CSO. Retrieved October 6, 2012, from http://www.csoonline.com/article/718068/iran-s-cyberattack-claims-difficult-to-judge-experts-say
Microsoft. (n.d.). Security Intelligence Report (SIR) vol.12. Retrieved October 7, 2012, from http://www.microsoft.com/security/sir/default.aspx
Oil giant Saudi Aramco back online after 30,000 workstations hit by malware | Naked Security. (n.d.). Retrieved October 1, 2012, from http://nakedsecurity.sophos.com/2012/08/27/saudi-aramco-malware/
Pastebin – 2012, aug/17 Second time “more details” about aug/5 cyber attack on Saudi Ara – Pastebin.com. (n.d.).Pastebin. Retrieved October 1, 2012, from http://pastebin.com/tztnRLQG
Qatari Gas Company Hit With Virus in Wave of Attacks on Energy Companies | Threat Level | Wired.com. (n.d.).Threat Level. Retrieved October 6, 2012, from http://www.wired.com/threatlevel/2012/08/hack-attack-strikes-rasgas/
RasGas Company Limited: Media. (2012, August 30). Retrieved October 6, 2012, from http://www.rasgas.com/Media/press_it.html
RasGas Infected By Shamoon – Technology News – redOrbit. (n.d.). Retrieved October 6, 2012, from http://www.redorbit.com/news/technology/1112685657/shamoon-virus-rasgas-aramco-083112/
Rebalancing The Security Portfolio – Imperva Data Security Blog. (n.d.). Retrieved October 1, 2012, from http://blog.imperva.com/2012/03/rebalancing-the-security-portfolio.html
Reuters. (2012, August 26). Saudi Oil Producer’s Computers Restored After Cyberattack. The New York Times. Retrieved from http://www.nytimes.com/2012/08/27/technology/saudi-oil-producers-computers-restored-after-cyber-attack.html
Sanger, D. E. (2012, June 1). Obama Ordered Wave of Cyberattacks Against Iran. The New York Times. Retrieved from http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html
Saudi Aramco Confirms Scope of Malware Attack | threatpost. (n.d.). Retrieved October 6, 2012, from http://threatpost.com/en_us/blogs/saudi-aramco-confirms-scope-malware-attack-082712
Saudi Aramco hacked; company confirms disruption. (2012, August 17).Computerworld. Retrieved October 1, 2012, from http://www.computerworld.com/s/article/9230363/Saudi_Aramco_hacked_company_confirms_disruption
Saudi Aramco hug, another one – Pastebin.com. (n.d.).Pastebin. Retrieved October 6, 2012, from http://pastebin.com/AtN7dLeW
Saudi Aramco Restores Network After Shamoon Malware Attack — InformationWeek. (n.d.).Informationweek. Retrieved October 1, 2012, from http://www.informationweek.com/security/attacks/saudi-aramco-restores-network-after-sham/240006278
Seculert. (n.d.). Seculert Blog: Shamoon, a two-stage targeted attack. Retrieved October 5, 2012, from http://blog.seculert.com/2012/08/shamoon-two-stage-targeted-attack.html
Shamoon. (2012, September 29).Wikipedia, the free encyclopedia. Retrieved from http://en.wikipedia.org/w/index.php?title=Shamoon&oldid=510317869
Shamoon malware cripples Windows PCs to cover tracks. (2012, August 17).Computerworld. Retrieved October 1, 2012, from http://www.computerworld.com/s/article/9230359/Shamoon_malware_cripples_Windows_PCs_to_cover_tracks
Shamoon the Wiper – Copycats at Work. (n.d.).securelist.com. Retrieved October 5, 2012, from http://www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work
Shamoon, Saudi Aramco, And Targeted Destruction – Dark Reading. (n.d.). Retrieved November 15, 2012, from http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240006049/shamoon-saudi-aramco-and-targeted-destruction.html
Sons of Stuxnet – IEEE Spectrum. (n.d.). Retrieved October 7, 2012, from http://spectrum.ieee.org/podcast/telecom/security/sons-of-stuxnet
Nakashima, E., Miller, G., & Tate, J. (2012, June 20). U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say. The Washington Post. Retrieved from http://www.washingtonpost.com/world/national-security/us-israel-developed-computer-virus-to-slow-iranian-nuclear-efforts-officials-say/2012/06/19/gJQA6xBPoV_story.html
Stuxnet. (2012, September 29).Wikipedia, the free encyclopedia. Retrieved from http://en.wikipedia.org/w/index.php?title=Stuxnet&oldid=511942917
The Arab Spring comes to Saudi Arabia | Full Comment | National Post. (n.d.).National Post. Retrieved October 7, 2012, from http://fullcomment.nationalpost.com/2012/08/24/peter-fragiskatos-the-arab-spring-comes-to-saudi-arabia/
The Arab spring has shaken Arab TV’s credibility. (2012, April 3).the Guardian. Retrieved October 7, 2012, from http://www.guardian.co.uk/commentisfree/2012/apr/03/arab-spring-arab-tv-credibility
The Flame: Questions and Answers. (n.d.).securelist.com. Retrieved October 5, 2012, from https://www.securelist.com/en/blog/208193522/The_Flame_Questions_and_Answers
The Shamoon Attacks | Symantec Connect Community. (n.d.). Retrieved October 1, 2012, from http://www.symantec.com/connect/blogs/shamoon-attacks
The Shamoon Attacks Continue. (n.d.).Kashif Ali. Retrieved October 2, 2012, from http://www.kashifali.ca/2012/09/03/the-shamoon-attacks-continue/
The Significance of the Aramco Hack – Imperva Data Security Blog. (n.d.). Retrieved October 1, 2012, from http://blog.imperva.com/2012/08/the-significance-of-the-aramco-hack.html
W32.Disttrack!gen8 Removal – Removing Help | Symantec. (n.d.). Retrieved October 2, 2012, from http://www.symantec.com/security_response/writeup.jsp?docid=2012-091313-2116-99&tabid=3
W32.Disttrack!gen8 Technical Details | Symantec. (n.d.). Retrieved October 2, 2012, from http://www.symantec.com/security_response/writeup.jsp?docid=2012-091313-2116-99&tabid=2
Was Iran Responsible for Saudi Aramco’s Network Attack? | Digital Dao. (n.d.). Retrieved October 1, 2012, from http://jeffreycarr.blogspot.com/2012/08/was-iran-responsible-for-saudi-aramcos.html
We, behalf of an anti-oppression hacker group that have been fed up of crimes an – Pastebin.com. (n.d.). Retrieved October 6, 2012, from http://pastebin.com/HqAgaQRj
World’s largest oil company Saudi Aramco hit by malware. (n.d.). Retrieved October 1, 2012, from http://www.net-security.org/malware_news.php?id=2228

, , , , , , , , , , , , , , , , , , , , Middle East, News, Security, Thoughts

One Comment → “Cyberwarfare and Hacktivism in the Middle East”

  1. Mohammed 12 years ago   Reply

    This is why we at HID Global are working hard on diverse threat detection solutions that are aimed at identifying and deterring threats from having financial and branding impact.

Leave a Reply