Iran's cyber strategy: A case study in Saudi Arabia

In November, a mysterious hacking group called Shamoon unexpectedly reappeared after four years of dormancy. The reason behind Shamoon's reemergence is currently unknown to security researchers, but the group marked its return by reviving one of the most devastating malware variants ever discovered.

The Shamoon group infiltrated Saudi Arabia in January with a targeted cyberattack, which used a highly destructive malware component named W32.Disttrack.B. The specialized malware first steals data from victim computers, then wipes all data and finally renders machines unbootable by overwriting master boot records (MBR). Among government and industry targets was Sadara Chemical Co., a joint venture between Dow Chemical and Saudi Aramco.

The January cyberattack followed a systemic attack in November 2016, which targeted Saudi government entities and destroyed thousands of computers.

The November 2016 cyberattack signaled Shamoon's first reemergence since August 2012, when it used W32.Disttrack– an earlier variant of W32.Disttrack.B – against Saudi Aramco to destroy 35,000 computers in what then-Defense Secretary Leon Panetta called "probably the most destructive attack the business sector has seen to date."

The 2012 Aramco attack followed an April 2012 cyberattack by an unknown threat actor on Iran's Kharg Island, the country's most important oil export terminal.

Researchers at many cybersecurity firms have noted that the code used in the 2016 and 2017 cyberattacks, which have been dubbed Shamoon 2 to distinguish them from the 2012 attacks, was nearly identical to the code used in the 2012 Aramco cyberattack. Code used in the 2012 Aramco attack, The New York Times reported, was almost identical to the code used in the Kharg Island attack.

W32.Disttrack's data deletion capability is called Wiper, the name for a module with the same functionality in the Flame malware. Security researchers at Kaspersky Labs discovered Flame in 2012. At the time of Flame's discovery, researchers said it had been used for years in cyber espionage campaigns throughout the Middle East – primarily Iran.

Kaspersky researchers also wrote that Flame "infects computers by using sophisticated techniques that were previously used by only one cyber weapon: Stuxnet." Stuxnet is the joint U.S.-Israeli developed malware discovered in 2010 that successfully disrupted Iran's nuclear enrichment program by destroying centrifuges.

Stuxnet is widely credited with changing the way Iran thinks about cyber.

Shamoon 2 and the Historical Iran Connection

The Saudi government has not publicly attributed the 2017 or 2016 cyberattacks. The Saudi Press Agency said the 2016 attack originated outside the country, but it did not allege a threat actor. Bloomberg reported that unnamed U.S. intelligence officials and independent security experts concurred the forensic evidence suggests the 2016 attack emanated from Iran.

The entity behind the original Shamoon – whose name originates from the directory string C:ShamoonArabianGulfwiperreleasewiper.pdb in Wiper – remained unclear to the public until 2015. A National Security Agency document leaked by former contractor Edward Snowden revealed that U.S. intelligence believed it to be Iran.

The 2016 and 2017 cyberattacks against Saudi Arabia share hallmarks with other cyberattacks alleged or known to be carried out by Iran. The use of destructive malware in targeted attacks – while "unusual" and "rare" – has been a staple of past Iranian cyberattacks, including in 2014 against Las Vegas Sands Corp. In contrast, China historically has focused on the theft of intellectual property, while Russia of late appears focused on information warfare. But such generic fingerprinting is far from conclusive.

Dr. Trey Herr, fellow with the Belfer Center's Cybersecurity Project at Harvard, said Iran's penchant for destructive cyberattacks can be traced partly to its political strategy. Iran's tactics, Herr said, "appear to be different from either Russia or China in part because of their strong interest in political rivals in the region and comparatively more freedom to act against these states without overt retribution. Some others may also revolve around Iranian cyber operational culture, which has grown up more recently than either Russia or China, and without quite the same long-running intelligence emphasis."

Shamoon 2 made one significant change to W32.Disttrack.B. Cybersecurity firm CrowdStrike, which has publicly attributed the cyberattacks to Iran, noted the image that appears after the malware overwrites a computer's MBR is no longer a burning American flag. Instead, the malware now displays an image of Alan Kurdi, a 3-year-old Syrian refugee whose dead body washed ashore in Turkey in September 2015.

Questions remain about the timing of Shamoon's reemergence after a four-year hiatus. Jon DiMaggio, senior threat intelligence analyst with Symantec Security Response, explained:

When malware is discovered in a targeted attack and documented publicly, the group behind the malware usually modifies the malware to avoid detection and/or burns infrastructure in an attempt to disappear … Shamoon went dark for four years and reemerged in 2016. This is almost unheard of and certainly not the norm. The only theory we can provide is that the attacker in both the 2012 attacks and 2016/17 attacks is primarily interested in Saudi Arabia.

Who is ‘Greenbug’?

W32.Disttrack.B is just one of three components comprising the malware used by Shamoon. Before W32.Disttrack.B can destroy computers, it must be deployed throughout a targeted organization's networks. Deployment requires threat actors to steal valid IT credentials.

Security researchers at Symantec are unsure how Shamoon obtained credentials. Symantec – which responded to Shamoon and Shamoon 2 attacks on its clients – does not discuss customers or specific victims identified in investigations. DiMaggio agreed to discuss his general research and previous findings.

In a Jan. 23 blog post, Symantec wrote about Greenbug, a cyber espionage group that has been targeting multiple industries throughout the Middle East. Greenbug uses a remote access Trojan called Ismdoor to steal credentials. DiMaggio said Greenbug attacks are believed to start with spear-phishing emails.

Symantec wrote about Greenbug, DiMaggio said, because research revealed, "Greenbug was present on an organization's network where the Shamoon malware (W32.Disttrack.B) was also present."

However, DiMaggio explained, "Although the Ismdoor malware used by Greenbug and the Shamoon malware were present on the same network, the primary reason we cannot attribute the Greenbug threat actor with the Shamoon malware is because there is no evidence that either type of malware is associated with the other. We did not see the Ismdoor malware dropping Shamoon or any hard technical connection between them."

DiMaggio said Greenbug attempted to escalate privileges to at least one of the target's administrative systems.

"In theory, it is possible that if they are related or responsible for Shamoon malware being present that they could have provided the administrative access needed to place the destructive malware on the target's network," DiMaggio added.

Evidence to definitively link Shamoon and Greenbug is so far inconclusive. DiMaggio said Symantec is still tracking Shamoon and Greenbug separately.

Cyber Proxies for Plausible Deniability?

The potential Greenbug-Shamoon-Iran connection, if eventually proven, would point to a broader trend: Iran's use of proxies.

Following the 2012 Aramco cyberattack, several groups emerged online to claim credit. Cyber threat intelligence company Recorded Future analyzed how attribution evolved over time. Initially, a group calling itself Arab Youth Group claimed credit and, later, another group calling itself Cutting Sword of Justice.

In separate incidents that occurred around the same time as the 2012 Aramco attack, a group calling itself Cyber Fighters of Izz ad-Din al-Qassam launched cyberattacks against the websites of JPMorgan Chase & Co. and Bank of America Merrill Lynch. The Financial Times reported two senior Western intelligence officials and independent cybersecurity experts said the hacker group is a proxy for the Iranian government.

The nature of the affiliation between these groups and the Iranian government is unknown to the public, but Iran has historically used proxies in irregular warfare and terrorism. In utilizing cyber proxies, Iran would be modernizing its conventional methods by taking a page from the playbook of its ally, Russia.

The use of proxies provides nation-states many advantages, wrote Central Intelligence Agency veteran Rob Dannenburg, "including plausible deniability, relatively low cost, little chance of political blowback, very little legal recourse for the target or victim and the opportunity for a state actor to reinforce and exercise relationships with non-state actors that could be of use in a future conflict."

A 2015 Iranian media interview with Islamic Revolutionary Guards Corps Brigadier General Second Class Behrouz Esbati, a defensive cyber operations commander at Iran's Cyber Headquarters, illustrated Iran's use of plausible deniability. Asked about alleged proxy groups comprising the "Cyber Army of Iran," Esbati said (via translation):

The concept of the Cyber Army of Iran is made by and paid by American media ... When we say, “What are your citations?” they say that “Cyber Army of Iran” is written on there when the systems are hacked. What person writes their own name when they commit such sabotage? It is clear that this is a conspiracy. I don’t have information on a hack. But in the observation of psychological war that is my expertise, I say this is a game that the Americans are behind. In cyberspace, the factors of time and space are limited and it is possible that there are both engaged and non-engaged young people in Iran who do such work.

Herr said one thing to watch in the future is, "the degree to which other proxy actors operate on [Iran's] behalf, indicating the government's trust in sharing malicious software or intelligence."

Iran’s Emergent Cyber Strategy

Much about the Shamoon 2 cyberattacks appears to fit Iran's past behavior and emerging cyber strategy, which began to take shape after Stuxnet. Gholamreza Jalali, the head of Iran's Passive Defense Organization, has interpreted Stuxnet as "the first official act of war in cyberspace."

A year after Stuxnet, Iran's supreme leader Ayatollah Ali Khamenei, in a July 29, 2011 editorial in the Kayhan newspaper, wrote that the U.S. (via translation) "will be taught the mother of all lessons."

Since 2010, Iran has learned from the U.S., while also developing its own strategy and tactics.

In "Cyber: Iran's Weapon of Choice," Michael Eisenstadt, Kahn Fellow and director of the Military and Security Studies Program at The Washington Institute for Near East Policy, noted that cyber fits well with Iran's "preference for ambiguity, standoff and indirection when conducting potentially high-risk activities." That's one reason why, he wrote:

In the past decade, Iran’s cyber toolkit has evolved from a low-tech means of lashing out at its enemies by defacing websites and conducting DDoS attacks to a central pillar of its national security concept. In fact, cyber may be emerging as a fourth leg of Iran’s current deterrent and warfighting triad. This triad currently consists of the ability to disrupt maritime traffic in the Strait of Hormuz; conduct unilateral and proxy terrorism on several continents; and launch long-range missile and rocket strikes against targets throughout the region.

Compared to other cyber superpowers, Iran's capabilities are still maturing. Herr explained, "Iran appears able to target and sustain operations against a wide range of targets, with greater success against private and state-owned companies, especially in the region, than Western government entities. This compares favorably with Russia, China and the U.S., though suggests that Iran is still developing the capacity to operate against many of these targets simultaneously."

Herr foresees Iran supporting future destructive cyberattacks. "Iran will likely continue to expand current abilities," Herr said, "likely focusing on kinetic and data destruction operations vs. information or widespread influence activities."

Along with offense, Iran remains equally focused on defense against "soft war" – particularly American "content" that conflicts with Iranian values. In the 2015 interview, Esbati said, "In the cyberwar between Iran and America, the defining issue is culture. The world in the 21st century is a world of thoughts and ideas, and not of hardware … Nowadays, America is the symbol of the evil person and the Islamic Republic is the symbol of the divine person. There is no common ground for these two. One of these two must be victorious over the other."

Recommended for you
Around The Web