Iran behind Shamoon Attack

Monday, October 15, 2012 @ 11:10 AM gHale

By Richard Sale
Iran intensified its attempt to push forward its cyber war capabilities with a six-month rash of virus attacks that culminated with its hackers disabling 30,000 computers at Saudi Aramco, the world’s largest oil corporation, two months ago, computer and intelligence experts said.

The attack took place August 15, when a malware weapon took down 30,000 of the company’s computers, said Jim Lewis, a computer expert at the Center for Strategic and International Studies (CSIS) in Washington. While Aramco officials said production did not suffer from the attack, sources have said it is hard to believe they did not have production issues.

RELATED STORIES
Shamoon Mitigations Shelter Systems
Shamoon Malware and SCADA Security
Saudi Attack has ‘Inside’ Suspects
Shamoon Malware Variant Running
New Virus Hits Oil Giant, LNG Producer
Qatar’s RasGas Suffers Virus Hit
Saudi Aramco Back Up after Attack
Saudi Aramco Hacked

Two former senior CIA officials first alerted ISSSource the culprit in the attack was Iran working with personnel inside the Aramco’s computer center. They said the Saudi regime is investigating the attack and is arresting suspects like operating staff, janitors, office people, and cargo handlers.

CIA sources said attack was the work of a disgruntled Shiite insider (or insiders) that had full access to the system.

Richard Stiennon at IT-Harvest, a firm that tracks and reports on evolving cyber threats, told ISSSource 30,000 computers ended up scrambled and Iran was the perpetrator. He said Iranian-trained hackers launched the attack “in deep wrath” because of the mistreatment of the Shiites at the facility, and in Syria and Bahrain — two countries where the Saudi government has reportedly aided Sunni factions in their struggle with the Alawite-dominated regime and the Shiite majority, respectively.

The Aramco attack and the attack on RasGas, a major Qatar gas works, and other energy companies over the summer were in retaliation for the U.S.-Israeli developed Stuxnet virus that infected thousands of Iran’s nuclear program centrifuges, and as payback for the severe U.S.-imposed sanctions that have sent the Iranian economy into a tailspin, the CIA sources said.

“It’s basically a kind of low-grade cyber war,” said former CIA chief of Counterterrorism, Vince Cannistrao.

“It has had a big effect. 30,000 is a relatively big number,” Lewis said. “The computers were out for as much as a week and had to be replaced.”

“Thirty thousand is a big number,” said Andrew Ruef, a U.S. computer expert who is co-author of a forthcoming book on cyber war. Explaining that a “botnet” like Shamoon is collection of comprised computers under the control of a single individual or group, he added, “The Zeus botnet compromised an estimated 13 million computers,” and noted “botnets can be commanded to attack websites or search the data on computers.”

The Zeus botnet is a Trojan horse that steals banking information and spreads through drive-by downloads and phishing schemes, security experts said.

First identified in July 2007 when it was used to steal information from the U.S. Transportation Department it became more widespread in March 2009. In June 2009, security company Prevx discovered Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Amazon, and Business Week Magazine.

“Iran did not break into any of the industrial control systems as Stuxnet did,” Ruef said. Quoting a late 2010 analysis by Seculert, a cyber security firm, he said the Iranians instituted a series of simple attacks to build a “botnet” of zombies numbering as much as 20 million. Earlier this year, they defaced a series of sites to garner a stronger botnet network and then launched its assault on Saudi Aramco and the other organizations.

Lewis said the Aramco virus read the data from 30,000 computers and in all cases, erased the data, leaving the computers unusable. The attackers did not understand or read the data they compromised, he said.

“The dollar cost of an intrusion to a company can’t be underestimated,” Ruef said. He also agreed Iran headed up the attack.

“There is a really significant dollar cost to this attack,” Lewis said.

Iran’s Cyber Army
Iran’s Cyber Army (ICA) began as a group within the Iranian military, said Paulo Shahkarian, Ph.D, a computer expert at the West Point Military Academy and Ruef’s co- author. The ICA began to surface in 2009, using equipment and tactics considerably inferior to that of the world’s most powerful nations.

According to Stiennon and confirmed by U.S. intelligence officials who asked not to be named, Iran’s initial cyber forays, driven by an intensifying rivalry with Saudi Arabia, did little damage: No money was stolen, no technology damaged, or classified information taken. U.S. intelligence officials said the early hacks on prominent international websites were short-lived and more of a nuisance than anything else.

But to jeer at Iran’s early capability is to miss the point.

The attacks of government and business sector websites made clear Iran had recognized the potential of the cyber attacks as the newest form of international espionage and warfare, and realized they needed to become a real player in the game.

Iran a Quick Learner
In January, the Tel Aviv Stock Exchange and the Israeli airline, EL Al were also hit by the hackers, along with U.S. banks, these intelligence sources said, and NBC News and others reported Iran’s cyber warriors recently defaced and disrupted the websites of U.S. banks including JPMorgan Chase and Bank of America. The attacks apparently sought to disrupt websites and other computer systems at the targets by overwhelming their networks with computer traffic. Many reports claimed the anti-Islam video that belittled and insulted the Muslim Prophet Muhammad had prompted the Denial-of-Service (DoS) assaults, while others suggested the action was taken in response to U.S. sanctions on Iranian banks. The websites have been out of commission for over a week, according to news reports.

Many experts said the Aramco attacks mark a new era in collaborative cyber warfare, the goal of which is to rule virtual space, with Iran moving away from the defacement attacks against Twitter and Baidu toward the deployment of the malicious botnet.

While many U.S. analysts agree that, as a hacking group, ICA still has to mature a bit. They are still far off from pulling off the caliber of attacks we have seen from Russia and China, but ICA is still in the process of creating its own botnet. If Iran’s latest attack is as large as the above analysis suggests, it would mark a significant advance in Iran’s cyber warfare capabilities and could pay some large dividends in the arena of cyber war.

Iran is currently jamming the Persian Service of the Voice of America (VOA), and Radio Farda, another Persian language program, U.S. officials said. The Broadcast Board of Governors that oversees Voice of America and other U.S.-sponsored broadcasts has accused Iran of jamming radio and television programming into the Middle East and eastern Europe during the ongoing Iranian currency crisis. U.S. intelligence officials told IPS Iran has targeted the three broadcast services before, adding that jamming violates international communications regulations.

But the real lesson of the Aramco incident is sinister and chilling.

“So if you and your friends wanted to hack into Aramco and shut down a bunch of computers, you’re about six months and $10,000 from being able to do it,” Ruef said. “The capability has been very thoroughly democratized.”

“I don’t think it would take six months,” Lewis said.

On Thursday, Defense Secretary, Leon E. Panetta, issued a blunt warning the U.S. was facing the possibility of a “cyber-Pearl Harbor” and was increasingly vulnerable to foreign computer hackers who could dismantle the nation’s power grid, transportation system, financial networks and government,” according to several news reports. In an address to business executive last Thursday he said the Shamoon attacks, represented a “significant escalation of the cyber threat.”

Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.