Saudi-Iranian confrontation moves to cyberspace

Sunday 08/01/2017

Washington - Geopolitical and ideologi­cal rivals Iran and Saudi Arabia have been en­gaged for several years in proxy wars in Yemen and Syria as the two countries vie for re­gional supremacy.
Now Tehran appears to be mas­terminding another form of warfare against Riyadh by supporting peri­odic state-sponsored cyber-strikes that are exposing strategic vulner­abilities of the kingdom. A recent cyber-attack disrupted the Saudi aviation sector.
There is growing concern in Ri­yadh over Tehran’s ability to inflict serious damage to key operations within the kingdom through mal­ware, which could have widespread consequences globally as well if oil production is affected. Iran clearly is determined to become a domi­nant cyber-power. Since 2013, Teh­ran has boosted its cyber-security budget 12-fold and experts put Tehran in the top five of the world’s cyber-powers.
In 2012, Saudi Aramco experi­enced a significant breach that in­fected 30,000 of the state oil com­pany’s computers. There is little doubt that Iran was responsible for that incident, though Tehran vehe­mently denied any association with it. Even more troubling for the Sau­di government was the awareness that the hackers likely had inside help from one or more Saudi Ara­mco employees who had high-level access to the company’s computer network.
The latest cyber-attack against Saudi Arabia began in mid-No­vember, when malware destroyed computers at a handful of govern­ment organisations, including the kingdom’s aviation regulator, the General Authority of Civil Aviation (GACA). Six government agencies were reportedly struck, although two were able to fend off serious damage.
The Saudi government acknowl­edged that the country’s cyber-se­curity department had ascertained that a systematic attack had oc­curred, including against the trans­portation sector, but did not iden­tify the other government bodies that were targeted. It is rumoured that the kingdom’s Central Bank was also a victim of the malware.
The November cyber-attack crip­pled the GACA headquarters for several days by wiping out critical data on thousands of computers and halting administrative opera­tions, though Saudi airports were seemingly unaffected. Riyadh is conducting a full assessment of the cyber-attack but digital evidence points to Iran as the instigator.
Most telling is that the malware employed in the November cyber-attack is a variation of the Shamoon virus that was effectively used in August 2012 to wipe clean the hard drives of three-quarters of Saudi Aramco’s corporate computers, re­placing all data with the image of a burning American flag. A group calling itself the Cutting Sword of Justice took responsibility for that breach, accusing Saudi Aramco of aiding a “corrupt” Saudi regime in carrying out “crimes and atroci­ties” in countries such as Syria and Bahrain through use of Muslim oil revenues.
Though Saudi Aramco’s oil op­erations and exports remained un­affected because the malware did not reach systems software associ­ated with technical operations, the company immediately shut down its corporate computer network to prevent the malware’s spread. Saudi Aramco moved quickly to purchase 50,000 hard drives from South-East Asian computer manu­facturers. The damage to Saudi Aramco’s computer network is con­sidered one of the most destructive cyber-attacks on a single business to date.
Not only did digital evidence point to Iran’s involvement in that incident but the theory was that Tehran instigated the breach on Saudi Aramco as retaliation against the United States following an April 2012 cyber-attack on Iran’s Oil Min­istry and affiliates that forced Teh­ran to temporarily disconnect its main Gulf oil terminals from the internet to prevent the malware’s spread. Because the Iranian oil in­dustry is still largely mechanical and not reliant on the internet, no oil production or exports were be­lieved to have been affected.
The biggest and most damaging cyber-attack against Iran was the Stuxnet virus that in 2010 infected computers that ran the Gulf coun­try’s main nuclear enrichment fa­cilities, resulting in the destruction of 1,000 of Iran’s 6,000 centrifuges used in enriching uranium. The United States and Israel reportedly collaborated on developing and employing the Stuxnet malware to stall Tehran’s nuclear development programme.
According to Andretta Towner, a senior intelligence analyst a Crowd­Strike, a security technology firm: “Stuxnet was kind of an awaken­ing for them in cyber-security mat­ters… So the country decided that building the national cyber capabil­ity was just the natural next step.” Towner was speaking at a confer­ence on Iranian cyber-threats spon­sored by the Atlantic Council.
After Stuxnet, Iran committed to boosting its own cyber capabilities. A report issued in December 2014 by cyber-security firm Cylance said that an Iranian hacking group re­ferred to as Operation Cleaver had victimised at least 50 companies in 15 critical industries spanning 16 countries.
Cyber experts point out that Iran’s development of its cyber ca­pabilities is two-fold; not only does it enable Tehran to gather intelli­gence, but it can also be employed for Iran’s “other political agendas in the Middle East”, Towner says.
Last March, the US Justice De­partment indicted seven hackers linked to the Iranian government on charges that included attack­ing the public websites of US banks from late 2011 to May 2013. The indictments, which marked the first time the US government has charged state-sponsored individu­als with cyber-attacks aimed at dis­rupting the networks of a key US industry, named seven employees of two Iran-based computer secu­rity firms said to be working on be­half of Iran’s Islamic Revolutionary Guards Corps.
Given the strained political rela­tions between Tehran and Riyadh, the Saudi government may be com­pelled to beef up its own cyber-security skills as Iran has demon­strated its willingness to attack its foe’s key industries. Also, given US President-elect Donald Trump’s rhetoric suggesting frostier US-Iranian relations may be ahead, the United States also should brace for more Iranian cyber meddling.