No one has claimed or assigned responsibility yet and Iran is, as usual, the main suspect
Iran and Saudi Arabia’s “cold war” in the Greater Middle has played out in several theaters. In Yemen and Syria, recipients of the two countries’ military aid duke it out on the battlefield. In the public sphere, diplomatic slights, state propaganda, social media platforms, and sermons from the bully pulpit demonize the other side. And below the surface, the usual intrigue plays out in the cloak and dagger routine.
That routine, increasingly, involves acts of cyber sabotage. The latest round of this is, according to Bloomberg, the work of the Iranians, who’ve taken inspiration (and more) from malware used against them by Western intelligence services, to go after their longtime riyals in Riyadh with “Shamoon 2” malware, an upgrade on an old Iranian favorite first used against the Kingdom in 2012.
The attack wreaked havoc on the administrative systems of the country’s civil aviation and transportation ministries and central bank, as well as other government offices, deleting files and destroying “thousands” of computers. The attacks took place across multiple systems, with the malware going off like a “grenade” among them. As a final touch, it disables computers’ boot functions so it cannot recover its OS.
In 2012, Iran reportedly destroyed 35,000 computers at the state oil company, Aramco, using Shamoon. Shamoon was, according to Wired and Kaspersky Security a “copycat” built with the Wiper data destruction malware in mind that had targeted Iranian oil sector earlier in the year.
It is difficult to verify the exact extent to which Iran copied Wiper, or adapted other malware used against it in the past like Stuxnet, though state media has bragged about how the country’s cyber security sector has learned much from the attacks on it since 2010.
The “new” malware, notes cyber security firm Crowdstrike, could be deemed “Shamoon 2” since it preserves many of the original’s features, particularly the use of a commercially available raw disk EldoS driver. And as Symantec notes, it was carefully implemented to have maximum impact. This version of Shamoon was triggered to go off when most employees would be off work during a holiday, as with Aramco in 2012, and, “The malware was configured with passwords that appear to have been stolen from the targeted organizations and were likely used to allow the threat to spread across a targeted organization’s network.”
Whether these were obtained by some yet-unknown phishing attack, as happened in 2012 according to CNN, or other means is unknown, but raises worries for the Saudis about an insider threat.
Earlier this year, hackers purporting to be Saudi patriots defaced Iranian government websites, which was soon followed by similar actions against Saudi pages by self-declared Iranian cyber warriors. And previously, in 2015, Swiss investigators determined that unnamed parties had uploaded malware into the computers at a hotel where Iran-US talks had taken place about the country’s nuclear program. Although the source was likely a foreign intelligence service, and probably more than just one, the investigation into malware was called off several weeks ago.
The embarrassment and inconvenience of the cyber attack attributed to Iran, though, did not derail a deal the two nations reached as this week’s OPEC summit to let Iran increase oil production while the Saudis cut theirs back. For now, at least, there will be no public response. But then, that is part of the problem with cyber attacks: They are seen as cheap tit-for-tat measures with few repercussions so again, the envelope will be pushed a little bit more with the next state-sponsored undertaking.