Cyber attacks in the Middle East

by Terry Pattar

--

The 2009 ‘Stuxnet’ attack on Iran’s nuclear programme set off a virtual campaign of computer-based attacks in the Middle East, revealing increased cyber capabilities among both state and non-state actors in the region. Syria has become the latest battlefield in this shadow war.

--

The ‘cold war’ between the US, its allies, and Iran has involved years of bitter accusations driven by suspicions of Iran’s motives for pursuing a nuclear programme. Beneath the overt standoff between the two sides and their arguments over sanctions, a series of covert cyber attacks has revealed a hidden conflict. David Sanger of the New York Times has described it as “an emerging shadow war of attacks and counterattacks already under way between the United States and Iran in cyberspace.” Iran is alleged to have carried out cyber attacks over the past year which suggest it has upgraded its capabilities since 2009, when its own nuclear programme was targeted. The shadow war between the US and Iran may be the main cyber conflict in the Middle East, but the ability to carry out cyber attacks, albeit on a more limited scale, has spread beyond the nation-state actors involved. In Syria, pro-government hackers of the Syrian Electronic Army have threatened regime opponents and attacked international media outlets it sees as sympathetic to rebel force. While it is unclear if the group has direct links to the regime of Bashar al Assad, it does show that the capabilities required to carry out cyber attacks have filtered through to a variety of actors in the region who are learning from each new attack that takes place.  The increasing number of actors drawn into the region’s cyber conflict has taken the battle well beyond the initial aim of impeding Iran’s pursuit of nuclear weapons.

 

Stuxnet: attack on Iran’s nuclear programme

The recent series of cyber attacks in the Middle East began in 2009 when the Iranian nuclear facility at Natanz was attacked using a specifically created ‘worm’, a type of malicious software designed to spread and replicate via computer networks.  The Stuxnet worm, as it was later termed by researchers who discovered it in Belarus in 2010, targeted industrial components used to control the somewhat outdated Pakistani-made IR-1 gas centrifuges used in the uranium enrichment process at Natanz. Although neither government officially admitted involvement, it was widely assumed that US and Israeli intelligence agencies were responsible for developing and deploying Stuxnet. This has since been confirmed by a report in the New York Times, based on interviews with officials in the US administration, which revealed that the worm was part of ‘Olympic Games’, a cyber operation directed specifically at Iran. The operation came to public attention unintentionally; Stuxnet was meant to remain in the Natanz facility, but because of a programming error it transferred onto a USB stick that was taken out of the plant. This is also the most likely means by which it entered Natanz in the first place.

Oft-quoted estimates suggest that the attack set back the Iranian enrichment programme by two years. It was hailed as a major blow to Iran’s nuclear program, in the process opening up a new way of dealing with its future nuclear ambitions. According to detailed analysis published by the Royal United Services Institute in April of this year, the actual damage Stuxnet caused is likely to have been relatively limited. Stuxnet is believed to have infected the control systems for one unit of centrifuges, but the attack was contained and did not spread to the rest of the facility. Judging by IAEA reports detailing the number of centrifuges in use at Natanz, it seems that the Iranians were able to replace the centrifuges within a matter of months and have since continued expanding the facility. After details of the attack became publicly known, Iranian officials have admitted that the attack took place, but have been naturally reticent to admit the extent of the damage it might have caused.

Given the continued expansion of the Natanz facility, where uranium enrichment levels have progressed from 3.5% pre-Stuxnet to current levels of 20%, it seems unlikely that the worm was particularly successful. Instead, the net effect of the attack was to benefit Iran since we can assume Iranian authorities learnt from the attack and instituted improved security measures. This is also the fear of the US government. General William Shelton, head of the US military’s cyber operations, told the BBC in January 2013 that the Iranians were reacting to Stuxnet and as their capabilities develop, they would be “a force to be reckoned with.” With the benefit of hindsight, the Stuxnet attack, though technically impressive, did little more than show the clandestine hand of US and Israel involvement, potentially damaging prospects for diplomatic engagement.

Stuxnet is not the only attack to have struck Iran’s energy infrastructure. In April 2012, Iran’s oil ministry and national oil company were hit by malware dubbed ‘Flame’, = designed to erase data from infected terminals using a component called ‘Wiper’.. Flame is similar to Stuxnet in its design, though it appears to be of an older vintage, dating from as far back as 2006. The attack caused the Iranians to shut down the control system at their Kharg Island oil facility, the outlet for most of Iran’s oil exports. The Stuxnet worm made a reappearance in Iran in December 2012 when Iranian authorities reported that it struck an electricity plant run by the Bandar Abbas electricity company in the southern province of Hormozgan. Iran has not revealed whether the worm caused any damage to the plant or had any impact on operations.  

An earlier attack, in 2011, used a different piece of malware, known as ‘Duqu,’ which was a Trojan designed to gather data from a wide range of unnamed targets, that could then be used to support further cyber attacks. According to security researchers at Kaspersky, Duqu bore sufficient similarities to Stuxnet to suggest it was produced by the same creators, but rather than being focussed on a specific nuclear plant, it was designed to “steal everything” from any computer it landed on, most likely arriving via phishing emails.

 

Shamoon: Iran strikes back?

On 15 August 2012 a hacking group calling itself ‘Cutting Sword of Justice’ launched a computer virus attack on Saudi Aramco, Saudi Arabia's state oil company. The group claimed that the attack wiped data from 30,000 computers. The affected computers all operated on an internal network, and the attack rendered them unusable, disrupting Saudi Aramco's internal communications. The network was quarantined following the attack, and there was no impact on oil production. The virus was deployed at a specific time to coincide with the Eid holiday, probably in the hope that it would be left to run its course, uninterrupted, over a period of several days. According to cyber security expert Jeffrey Carr, the virus, termed ‘Shamoon,’ was introduced to the network via a USB stick that had been plugged into a Saudi Aramco computer terminal in an office in another part of the world. The destructive outcome of the Shamoon attack suggests that it was deployed with the intent of disrupting company operations. This was also the conclusion of a Saudi government investigation, according to Abdullah al-Saadan, Aramco’s vice president for corporate planning, who told Saudi news channel El Akhbariya in December 2012 that the hackers aimed “to stop the flow of oil and gas to local and international markets.”

The attack was noteworthy as it was the first in which a politically motivated group of ‘hacktivists’ used malware, rather than simpler distributed denial-of-service (DDOS) attacks. The increased level of sophistication could indicate state-level support. Their political motivations were clear. In a statement posted on Pastebin, a site designed for computer programmers to share code that is regularly used by hacker groups to post statements, Cutting Sword of Justice accused the Saudi government of committing “crimes and atrocities” in countries such as Syria and Bahrain. They also had the US in their sights, as the virus was designed to replace files wiped from the target computers with an animated image of a burning US flag. The specific component of Shamoon that actively deleted data was named ‘Wiper,’ suggesting it may have been adopted from the Flame malware that was deployed against Iran.

The US government has certainly blamed Iran for what the US Secretary of Defence Leon Panetta considered “probably the most destructive attack that the private sector has seen to date." It was “a real wake-up call in the region,” according to an unnamed senior US administration official quoted in the New York Times in May 2013. The official confirmed the US government view that Iran was behind the attack and that it demonstrates Iran’s preferred way of responding to sanctions. This was despite denials from Iran’s National Centre of Cyberspace that the Iranian government was involved in either the Saudi Aramco attack or a similar attack on RasGas in Qatar.

 

RasGas: encore for Shamoon?

A few days after Saudi Aramco announced the successful clean-up of the Shamoon virus, a similar type of malware struck a series of internal computers at Qatar-based gas company RasGas, the second largest producer of Liquid Natural Gas (LNG) in Qatar. The attack did not have an impact on overall production, but the company did have to close down its website and email system. The full extent of the damage suffered by RasGas remains unclear, and no details have been made public regarding the method used to access the company’s network. Although on this occasion there was no claim of responsibility, the parallels  in the attacks on Saudi Aramco and RasGas – similar attack characteristics and company profiles –  suggest they may have a common enemy. Did the same hacker or hackers attack both companies?

The US has asserted Iranian involvement in the Shamoon attack, but the absence of direct evidence to support the claim makes it especially difficult to attribute responsibility in a way that sticks. The Iranian government has certainly increased its cyber activity over the last few years. In the past, Iran has attempted to use social media to gather personal information (which could be used for phishing attacks) from US military personnel based in the region. Iranian pro-government hackers, such as the ‘Iranian Cyber Army’, attacked Twitter in 2009 in revenge for the micro-blogging platform’s supposed key role in fomenting anti-government protests. More recently, the Iranian government has hired foreign hackers to boost their cyber attack capabilities, according to unnamed US officials cited in a June 2013 New York Times report.

 

Parastoo: hackers ‘defending’ Iran’s nuclear programme

A group of hacktivists called ‘Parastoo,’ Farsi for ‘swallow,’ has carried out a series of attacks on public targets  as a way of showing support for Iran’s nuclear programme. The first was in November 2012 when they succeeded in obtaining the email addresses of various international nuclear experts from a server at the International Atomic Energy Agency (IAEA), all of whom subsequently received email messages requesting that they sign a petition calling for inspections at Israel’s Dimona facility. The group’s claim of responsibility referred to two international hacker collectives, Anonymous and Lulzsec, but it is unclear what connection Parastoo actually has to either group. A former Lulzsec member claimed online that Parastoo is linked to Iran’s Revolutionary Guard Corps Qods Force (IRGC-QF), a military unit dedicated to the destruction of Israel, and to Hizbullah. Parastoo has made statements elsewhere that refer to Iranian and Hizbullah figures from the past. Computer science website Silicon Angle also published analysis tracing the results of a Parastoo hack  back to an individual based in Tehran.  Parastoo’s claim of responsibility features the same sign off (“Expect us”) used by the hacking collective Anonymous, and Parastoo claimed to be one of the teams involved in the Anonymous-linked ‘Op Israel’ DDOS attack against Israeli websites  in April 2013. At minimum Parastoo is attempting to imitate Anonymous, even if there are no direct links.

Parastoo’s agenda is clearly anti-Israel, though with a specific focus on nuclear and energy issues. In May 2013 the group hacked the servers of the US National Nuclear Safety Agency (NNSA) and hacked the US Department of Energy in February 2013, obtaining personal information on several hundred employees. In the same month, the group announced that it had hacked servers used by information company IHS Global over a period of six months, specifically downloading the full contents of Jane’s CBRN Intelligence Centre, one of the company’s signature products, containing information relating to chemical, biological, radiological, and nuclear issues. In an email to Silicon Angle, Ed Mattix, IHS Vice President for Corporate Communications, confirmed that the hackers stole previously published CBRN information. Parastoo claimed that the attack was  revenge for the assassinations of Hamas operative Mohammed al-Mabhouh, killed in Dubai in 2010, and Hizbullah’s external operations chief, Imad Mughniyeh, killed in Damascus in 2008. Both men are believed to have been assassinated by Israel’s Mossad. Despite the stated revenge motive, there is no clear indication that Parastoo has any direct links to Hamas, Hizbullah, or to the Iranian government, but it does underline the group’s pro-Iran and anti-Israel agenda.

 

Operation Ababil: attacks on US banks

In September 2012 DDOS attacks shut down the websites of several American banks, among them JPMorgan Chase & Co. and Bank of America. A group calling itself the Izz ad-Din al-Qassam Cyber Fighters claimed responsibility for ‘Operation Ababil,’ as they referred to it in a statement posted on Pastebin. They g announcement went so far as to identify  targets in advance of attacks. The group claimed that it was taking revenge for the film “Innocence of Muslims,” a marginal production made by an obscure US filmmaker that, despite being roundly condemned for its offensive depictions of Islam, sparked protests across the Islamic World. The  attack used a piece of malware called ‘Itsoknoproblembro’ to take over the resources of several cloud computing servers and used them to flood the banks’ websites with requests. Although Itsoknoproblembro has been around for a few years, it was the first time it had been deployed to infect data centres, rather than individual computers,  using their greater processing power to attack external websites, according to a January 2013 New York Times account of the incident.  The group has continued to post weekly updates to Pastebin of Operation Ababil,  including targeting information such as  details of which banks and financial institutions they will attack in a given week; the YouTube URL of the video, which they have demanded be removed from the video sharing service; and  announcements of temporary operational pauses. 

The Izz ad-Din al-Qassam Cyber Fighters are alleged to be more than a hacktivist collective. For Senator Joseph Lieberman, the chairman of the US Homeland Security Committee, the attack , “was done by Iran and the Quds Force, which has its own developing cyber attack capacity” – an accusation that the Iranian government has vigorously denied. In comments to Middle East news service Al-Monitor in January 2013, Alireza Miryousefi, a spokesman at the Iranian Mission to the United Nations, stated that “Unlike the United States, which has per reports in the media given itself the license to engage in illegal cyberwarfare against Iran, Iran respects international law and refrains from targeting other nations' economic or financial institutions.”

Although the method used in this type of attack – essentially flooding a bank’s website with traffic – is relatively simple, DDOS is sometimes used as  to divert attention from secondary attacks involving electronic theft on banks and financial institutions. In some instances, opportunistic cybercriminals wait until a hacktivist group attacks a bank and then activate malicious software that enables them to gain access to accounts and drain them of funds. According to Avivah Litan, a banking-security analyst with Gartner Inc., quoted in a May 2013 Bloomberg article, there is now some convergence between politically motivated hackers and cybercriminals. “We are also seeing the different actors borrow, buy and steal from each other, so that cybercriminals are using cyberwarrior tactics and code, and cyberwarriors are using cybercriminal tactics and code,” Litan said. “The big question is whether the nation-state actors, i.e. the Iranians, will start stealing money out of accounts.”

 

Gauss: attack on Lebanon’s banking industry

Iran is not the only nation-state actor accused of targeting banks. The Gauss malware attack launched in late 2011 specifically targeted the Lebanese banking industry by monitoring online banking activity at six Lebanese banks and reporting the information to a command server. Russian computer security firm Kaspersky  believes Gauss was based on the Flame platform and most likely produced by its creators. Kaspersky’s researchers struggled to carry out a full analysis of the malware because parts of it were hidden with highly sophisticated encryption, which appeared to contain some type of ‘payload’ that would only be triggered for release by the specific system configuration of its target. Kaspersky’s analysis found that Gauss bore “strong resemblances” in its design to  Flame, Duqu and Stuxnet, suggesting that Gauss may have been created and deployed by the US, possibly with Israeli assistance. Gauss was intended to gather confidential information on transactions taking place in Lebanon, whose banks are known for providing discreet banking services to Middle East clients. While there could have been a number of entities carrying out transactions in Lebanon that would have been of interest to the US, Iranian attempts to evade financial sanctions would have attracted the most attention. 

A variant of the Flame malware, dubbed ‘Mini-Flame’ by researchers at Kaspersky, has also been found in several countries in the Middle East, including Lebanon, Palestine, Saudi Arabia, and Qatar. Mini-Flame is a more focused piece of malware than its elder sibling, gathering data from a specific target, rather than harvesting information on a wider scale.

 

The Syrian Electronic Army: the advent of “digital counter-revolutionaries”

The cyber war in Syria mirrors the divide between government and rebel forces, though its borderless battlefield has allowed attacks on foreign governments. The Syrian Electronic Army (SEA) has risen to prominence as a pro-government hacking group, aptly termed “Syria’s Digital Counter-Revolutionaries,” in an August 2011 article in The Atlantic. The group has targeted Saudi Arabia, Qatar and other countries known to be backing rebel forces. In February 2012 the SEA hacked the English website of Qatari news channel Al Jazeera,and in Jul 2012 the group succeeded in hijacking Al Jazeera’s Twitter account, posting stories denouncing rebel fighters. They followed up on this by hacking the Twitter account of Saudi news channel Al Arabiya, using it to post fake stories claiming Qatar’s Prime Minister had been removed in a military coup.

In early August 2012 pro-government hackers, also likely to have been part of the SEA, inserted a fake news story on the Reuters website describing the retreat of Syrian rebels, and followed up two weeks later by hacking a Reuters blog to post a claim that the Saudi Foreign Minister, Prince Saud al-Faisal, had died. A third attack occurred later the same month when a Reuters Twitter feed was hacked to post pro-Syrian government messages. A similar hack targeted Al Jazeera’s Arabic website in September 2012. More recently, in April 2013, the SEA hacked the Associated Press Twitter account and posted a fake news story announcing US President Obama had been injured in explosions at the White House. According to the Financial Times, the fake story caused a temporary 1% fall in the value of the S&P 500 share index before it was corrected. An AP reporter commented on Twitter afterwards that the phishing emails sent by the SEA to facilitate the attack were “impressively disguised.”

The SEA started out as a digital bulwark against the online activity of opposition activists, who had the support of the international hacking collective Anonymous. SEA activities have included DDOS attacks on international and regional media outlets, and phishing attacks on the Facebook accounts of pro-revolution activists. The group presents itself as an independent entity, and has denied being part of the government or security forces. It does, however, have the tacit support of President al-Assad, who has openly expressed his admiration for SEA activities. Although the SEA and the government have denied any direct links, the SEA did provide the government with a list of opposition leaders that was subsequently leaked. Around the same time, according to a May 2013 New York Times report, many of the online nicknames and identities previously associated with the SEA ceased activity, and a new set of handles came online and assumed control of the SEA’s online presence. It is possible, in other words, the leak precipitated a government-sponsored changing of the guard at SEA.

In an email interview with the Financial Times in April 2013, an SEA representative claimed that the group was made up of Syrian youth committed to supporting the government. The SEA representative told the FT that the group originally focussed on Gulf-based media sites because of their governments’ support for the rebels, and they had recently shifted to targeting US media companies after US sanctions caused their internet service provider to close down the group’s main website. In May 2013, the SEA followed up on the interview by hacking the blog headlines and Twitter account of the Financial Times, posting links to videos of Syrian rebels being killed. In an interview with US news site Global Post in the same month a SEA representative reiterated the group’s claim that it was a hacktivist group that was not pro-Assad, but pro-Syria. The SEA also claimed that it would not attempt to develop sophisticated attacks on industrial control systems, like Stuxnet, as this would be “too dangerous in any case and could potentially provoke a war or harm innocent people.” The SEA representative also revealed that the group has faced no online resistance, other than some DDOS attempts from “misguided factions of Anonymous.”

Even though the SEA appears to be succeeding largely unopposed in making a digital nuisance of itself, there has been some activity from the other side of the electronic frontline, as Syrian opposition activists succeeded in hacking into President Bashar al-Assad’s personal email account between May and December 2011. Members of the ‘Supreme Council of the Revolution’ group were responsible for accessing al-Assad’s account, which was associated with Al Shahba, a front company in Dubai that the family used to circumvent personal sanctions. There are different retellings of how the activists gained access to the email account. They were either provided the password by an insider within the Assad regime, or they found that the account used the default password of ‘1234.’  In any case, the attack was undoubtedly embarrassing for al-Assad. The activists obtained several thousand of his email messages.  They revealed that he had only been paying lip-service to opposition demands for reform, and had mocked the Arab League’s attempts to monitor the situation.

The attack demonstrated the growing capabilities of non-state actors and confirmed that this type of action will increasingly become a normal part of conflicts and political uprisings in the region.

 

Mitigating the increasing threat

Iranian denials of involvement in cyber attacks have cut little ice with the US Department of Defense, which has offered to provide support to countries in the region most active in assisting American efforts to track and intercept Iranian arms shipments. This is likely to involve commercialisation of defence capabilities, especially those related to protection of military and critical infrastructure networks, and would potentially involve sales of hardware, software, and training services to the Arab Gulf States. The Gulf States in particular have been galvanised by the spate of cyber attacks that have occurred over the past two years. Oman has lead the way by making its national Computer Emergency Readiness Team (CERT) the regional hub for cyber security, in conjunction with the International Telecommunications Union’s International Multilateral Partnership Against Cyber Threats (IMPACT). The UAE has created a specialist National E-Security authority, according to a report in the Financial Times. The governments of Saudi Arabia and the UAE are also increasing their spending on cyber security, while the private sectors in both countries are forecast to increase their technology security budgets by 18% between 2012 and 2018, according to consulting firm Frost and Sullivan.

This represents a regional shift to a more attentive posture  on the subject of cyber security. US consulting firm Booz Allen Hamilton commented in the media in September 2012 that corporate entities in the Middle East and North Africa have been complacent in organising their cyber defences, as they previously believed they were unlikely to be targeted by sophisticated attacks. Rob Enderle, the principal analyst of Californian IT security company Enderle Group, told The National in September 2012 that in his view, energy companies in the Middle East still have not taken sufficient steps to protect themselves. He commented that these companies, “lack the funds or the will… As a result it will likely take one or more massive catastrophes connected to digital attack to force these industries to retool to properly address the threat.”

Cyber defence is only one side of the coin. Israel has established the region’s first academic programme in cyber warfare, intended to train hackers for military service, working on  improvements to Israel’s cyber defence while also developing cyber attack capabilities against potential enemies. The programme, announced in July 2012, is a joint initiative of the Department of Information Systems Engineering at Ben Gurion University, Israel’s Ministry of Defense, and the National Cyber Headquarters.

It is unclear if any other countries in the region, other than Iran, are developing offensive cyber capabilities. The governments of the Arab Gulf States are more likely to use cyberspace to monitor potential political dissidents, than focus on external threats. However, the US Department of Defense sees them as potential markets for cyber security products, especially while key energy companies in the Gulf remain vulnerable to attacks. This will be a particular concern if the recent strategy of launching cyber attacks at Iranian targets is to continue.  There will undoubtedly be retaliation, whether it comes from pro-Iranian hacktivist groups or hacking units within the Iranian military. Even if the US and its allies do not carry out further attacks on Iran, for fear of driving greater advances in Iranian cyber capabilities, the number of non-state actors who might pursue cyber attacks against governments in the region is only likely to increase.

--

About The Author: Terry Pattar is Chief Research Officer at Thesigers and an Editor of Current Intelligence.

About Thesigers: Thesiger & Company (‘Thesigers’) is a London-based research and advisory firm, providing a wide range of services to clients whose interests and activities demand in-depth knowledge of emerging and frontier markets. Current Intelligence is Thesigers’ quarterly bulletin of current affairs, published online and in print.

Company registered in England and Wales.  Company registration number: 07234402.

VAT number: GB 135658985

Email: enquiries@thesigers.com | Web: thesigers.com

© THESIGER & COMPANY LIMITED (‘THESIGERS’) 2010-2013.  All rights reserved.  No reproduction of this essay is authorized without prior permission of the publisher. Permission to republish in whole or in part will be considered on a case-by-case basis, and may require payment of a licensing fee.