Iranian cyberthreat hovers over GCC region

The challenge of thwarting cyberattacks is a region-wide concern as attacks become more sophisticated
Sunday 08/03/2020
Technicians practice defence against cyber attacks on the power grid during a simulation at a training centre in Germany. (DPA)
Threat hunting. Technicians practice defence against cyber attacks on the power grid during a simulation at a training centre in Germany. (DPA)

LONDON - Last September, Saudi Aramco was hit with a drone and cruise missile attack that targeted oil processing facilities in eastern Saudi Arabia. The attack, which Saudi and US officials blamed on Iran, led to the temporary shutdown of the Aramco facilities, which affected 5% of global oil production.

While that attack made headlines around the world, Aramco has been the target of constant assaults of another kind — cyberattacks — with a significant spike in attacks on computer systems in the final quarter of 2019, Aramco officials said.

“Overall, there is definitely an increase in the attempts of (cyber) attacks and we are very successful in preventing these attacks at the earliest stage possible,” Khalid al-Harbi, Aramco’s chief information security officer, told Thomson Reuters.

“The pattern of the attacks is cyclical and we are seeing that the magnitude is increasing. I would suspect that this will continue to be a trend.”

Aramco’s response in neutralising cyberattacks contrasts with its capabilities of a few years ago. In January 2017, an attack at the Sadara Chemical Company, an Aramco-Dow Chemical joint venture, wiped out the firm’s computer systems.

“There are several key industries that tend to bear the brunt of these cyberattacks and we find similarity across different regions,” Dr Moataz Bin Ali, vice-president of Trend Micro for the MENA region said via e-mail. He said manufacturing and government organisations are consistently the first- or second-most targeted sectors followed by the financial services industry, the education sector and health care.

“Industries that are prominent in GCC, such as energy and oil and gas, are among the top ten most-hit sectors through the entirety of 2019,” he said.

The challenge of thwarting cyberattacks is a region-wide concern as attacks become more sophisticated and motivations range from geopolitical to criminal activity. The United Arab Emirates, a tourism and business hub with a thriving economy and significant regional political capital, is an attractive target for cybercriminals and politically motivated hackers.

Even Gulf Cooperation Council (GCC) members with smaller economies have been targeted by Iranian hackers. Last August, an attack said to have been carried out by hackers linked to Iran infiltrated networks of Bahraini government agencies and critical infrastructure sites.

“There is a mixture of capabilities and maturity within the GCC,” said Alister Shepherd, director for Middle East and Africa at Mandiant, a subsidiary of US cybersecurity firm FireEye. “So, we have seen Saudi Arabia in particular and the UAE as well invest heavily and key governmental entities have been steadily improving since 2012 with the trigger being the first Shamoon (virus) attack on Saudi Aramco (in 2012).”

The GCC probably lags in comparison to the United States or the United Kingdom but cybersecurity has been improving in Saudi Arabia and the United Arab Emirates. However, the rest of the GCC is still catching up, Shepherd pointed out.

Gulf countries appear to be taking the matter seriously. Planet Market Reports said the GCC cybersecurity market, which totalled $7.2 billion in 2016, was expected to reach $11.4 billion by 2024.

Shepherd said most attacks his firm has seen have been state-sponsored, with groups tied to Iran heavily active in the region.

“They obviously respond to geopolitical events, so sometimes we see a spike in activities around major events, such as the US withdrawal from Joint Comprehensive Plan of Action or sanctions,” Shepherd said, referring to the nuclear deal between Iran and global powers.

Mandiant noted that “one observation that we have made is that the capabilities of Iran to conduct a cyberattack of the scale of something like Shamoon in 2012 seems to have been degraded.” The cyberdefence capabilities of GCC countries have increased, Shepherd said.

“Iranian attack capabilities have been increasing incrementally and have been outpaced by the defensive investments in Saudi Arabia,” he said. “That means that their ability to conduct cyber disruptive and destructive attacks has been relatively degraded and one might reason that you might see them resorting to physical attacks because they do not have the capabilities to get the level of impact in the cyber domain right now.”

Warding off cyberattacks is not an exclusive challenge of governments and large companies, particularly considering that people in the region are avid social media users.

“One major theme that we have seen in social media is social engineering or just targeting, so identifying individuals who work at organisations of interest and targeting them through social media, so that could be with the eventual aim of gaining access to the parent organisation, be it government or private sector,” Shepherd said.

Mandiant said it noticed that this method was used by Iranian operations to spread pro-Iranian propaganda.

“Iranians are trying to gain a reaction from individuals from what we would call inauthentic media,” Shepherd said. “They are news stories favourable to Iran and unfavourable to its opponents in the region.”