Cybersecurity is often discussed in relation to the major global powers: China’s economic espionage, Russian influence operations, and U.S. dragnet global surveillance to thwart terrorism.
However, as other countries move to digitize their economies, cybercriminals are zeroing in on these new and lucrative targets while regional players are quickly incorporating cyber capabilities into their own arsenals for achieving strategic ends.
The Middle East, particularly the Gulf states, are quickly recognizing the urgent need for better cybersecurity, while regional adversaries such as Iran have begun weaponizing code as an extension of broader strategic goals within the region. What, though, is the Gulf’s current cybersecurity atmosphere, and how does Iran’s emerging use of offensive cyber capabilities fit into its broader strategy in the Middle East?
Wajdi Al Quliti, the Director of Information Technology at the Organization of Islamic Cooperation, notes that “the region’s dramatic strides towards digitization—expected to add over $800 billion to GDP and over 4 million jobs by 2020—is making the Gulf a major target for fast evolving cyber threats.” Much like other regions, the Gulf is finding it difficult to sufficiently create criminal deterrence due to segmented laws and difficulties in attribution. Al Quliti argues “cross-border cooperation and common cybersecurity structures could prove to be a game-changing advantage in the fight against cybercrime.” However, “the elephant in the room,” according to Al Quliti, “is the issue of state-sponsored hacking, in which case harmonized laws are unlikely to make a difference.”
A critical point in nation-state hacking in the Middle East begins with the Stuxnet worm. Discovered in 2010 burrowed deep in Iranian networks, the worm had slowly been sabotaging Iran’s nuclear ambitions. Then in 2011 CrySyS Lab discovered Duqu, a cyber espionage tool tailored to gather information from industrial control systems, and in 2012, Kaspersky Labs identified Flame, another espionage tool, targeting various organizations in the Middle East. Both Duqu and Flame are associated with Stuxnet, and widely considered to be the work of Israel and the United States.
In 2012, Iranian officials found a wiper virus erasing files in the network of the Oil Ministry headquarters in Tehran, leading the ministry to disconnect all oil terminals from the Internet to prevent the virus from spreading. It is uncertain who was behind the attacks, but a mere four months later, Saudi Arabia’s largest oil company, Saudi Aramco, was hit with a similar wiper virus known as Disttrack—possibly coopted from the previous attack on Iran’s oil industry.
The data-erasing malware sabotaged three-quarters, or some 35,000, of the company’s computers, while branding screens with an image of a burning American flag. A few months later, another wiper virus attacked Qatar’s RasGas.
Al Quliti identifies “the region’s heavy dependence on oil and gas—as well as the oil and gas-powered desalination plants that provide much of the region’s fresh water”—as “a source of cyber vulnerability,” adding that “any cyber attack on these installations could prove catastrophic and might result in a humanitarian disaster.”
The sabotage operations against the Gulf’s oil industry have been attributed by various cybersecurity firms—but not officially by any government—to a group called Shamoon, thought to be sponsored by the Iranian government.
Michael Eisenstadt, the Director of the Military and Security Studies Program at the Washington Institute for Near East Policy, notes that “cyber allows Iran to strike at adversaries globally, instantaneously, and on a sustained basis, and to potentially achieve strategic effects in ways it cannot in the physical domain.” For example, in March 2016, the Justice Department revealed indictments for seven Iranian’s working on behalf of the Iranian Revolutionary Guard Corps for distributed denial of service attacks against U.S. banks in 2012, which appeared to be in retaliation for U.S. sanctions imposed on Iran the previous year. The indictments also was in response to Iran’s infiltration into the systems of a small New York dam in 2013—a possible testing ground for penetrating larger pieces of U.S. critical infrastructure. In 2014, the same year North Korea set its sights on Sony Pictures, Iran’s cyber capabilities again reached into the United States, using another wiper virus to sabotage the operations of the Las Vegas Sands casino, whose chief executive, a staunch supporter of Israel, had suggested detonating a nuclear bomb in over Iran.
Last November, right before a major OPEC meeting, a variation of the Disttrack wiper used against Saudi Aramco in 2012 struck again, now fitted with a picture of Alan Kurdi, the drowned Syrian toddler who washed up in Turkey in 2015. The virus targeted six Saudi organizations, most notably the Saudi General Authority of Civil Aviation, delivering its payload at the close of business on a Thursday, the start of the Islamic weekend, for maximum impact. Some experts speculate the November attack could have also been a false-flag operation to derail the Iranian nuclear deal.
Interestingly, for both the 2012 and 2016 Shamoon attacks, the wiper came fitted with stolen login credentials that cybersecurity firm Symantec now believes could have been gleaned from a cyber espionage tool, known as Greenbug, found on one of the administrator computers of a Saudi organization targeted in November. The potential link between Greenbug and the Shamoon group opens up possible investigations into the group’s involvement in a host of other Greenbug attacks throughout the Middle East, including breaches in Saudi Arabia, Bahrain, Iraq, Qatar, Kuwait, Turkey, and even Iran—though likely for domestic surveillance on dissidents. Just last week, another wiper virus hit 15 Saudi organizations, including the Ministry of Labor, prompting the government to issue an urgent warning of pending Shamoon attacks.
Eisenstadt points out that “Iran’s cyber activities show that a third-tier cyber power can carry out significant nuisance and cost-imposing attacks,” and “its network reconnaissance activities seem to indicate that it is developing contingency plans to attack its enemies’ critical infrastructure.” According to Eisentadt, is now seems that “in the past decade, Iran’s cyber toolkit has evolved from a low-tech means of lashing out at its enemies by defacing websites and conducting DDoS attacks, to a central pillar of its national security concept.”
Levi Maxey is a cyber and technology analyst at The Cipher Brief. Follow him on Twitter @lemax13.