The attacks are believed to have affected thousands of computers at the Saudi civil aviation and transportation agencies, harkening back to a devastating Iranian cyberattack in 2012 that nearly crippled the Saudi state oil company, Aramco.
The Saudi Arabian Monetary Agency, the nation’s central bank, denied a Bloomberg report last week that it was hit, too.
Cybersecurity experts caution that they cannot say for sure that the attacks that began Nov. 17 are from Iranian hackers. But they note a series of similarities to the 2012 cyberattack and say Iranian hackers are especially active.
“Since the (U.S.) election especially, there’s been a pretty drastic increase in the amount of targeting of Saudi and Israeli institutions by hacking groups that we absolutely know are based out of Iran,” said Collin Anderson, an independent researcher currently writing a report on Iranian cyber warfare for the Carnegie Endowment for International Peace.
Anderson said “reasonable degrees of evidence” link the hacking to the Islamic Revolutionary Guard Corps, Iran’s most powerful security and military organization.
Cyber experts commonly refer to the malicious code infecting Saudi computers as Shamoon 2.0, a new version of the Shamoon malware that hit Aramco in 2012. The code is also known as disttrack.
“The infection capability doesn’t cause any particular hardware damage we know of but it does ‘brick’ your computer,” said George Avetisov, cofounder and chief executive of HYPR Biometric Security, a New York City firm that handles cybersecurity solutions for clients.
A “bricked” computer is one left completely useless, like a brick.
The malicious attack began at 8:45 p.m. on Thursday, Nov. 17, the start of the weekend in Saudi Arabia, where employees work Sunday to Thursday. That allowed the virus to spread for days before employees returned. It also marked the beginning of Lailat al Qadr (Night of Decree), an important Muslim holiday that is the holiest night of the year.
The Shamoon 2.0 malware wiped hard drives in infected computers clean and left an image of the lifeless body of a 3-year-old Syrian boy, Alan Kurdi, who was found on a Turkish beach 15 months ago and became a symbol of the European refugee crisis. The 2012 Shamoon attack left an image of a burning U.S. flag.
How many Saudi computers were destroyed in the recent attack is not known.
“Historically, Saudi Arabia has been very opaque about these sorts of attacks,” Anderson said.
Avetisov said the recent attacks were “not particularly stealthy” because the infection spread through a specific software driver, almost a calling card from Iranian hackers.
“As someone who scours the internet looking at false flags,” he said, referring to deceptive covert operations made to look like they were done by someone other than the real authors, “I can’t see a motive. What would you achieve with a false flag like this?”
He said attacks on key government agencies can be testing for further attacks.
“Usually you see attacks of a large scale as potentially a precursor for a much larger event. It remains to be seen if that’s the case here,” Avetisov said.
The Iranian hackers appeared to use email as bait to implant the malware.
“These are crimes of opportunity essentially,” Anderson said. “It’s really like these Iranian groups getting lucky based off of social engineering rather than, you know, highly technical operations conducted with zero day exploits.”
Anderson referred to a type of vulnerability that can give an attacker freedom within a host computer system to wreak havoc. Such vulnerabilities are usually detected by large teams of elite hackers working for governments.
The U.S.-Israeli cyber worm known as Stuxnet at the turn of the decade destroyed a great number of centrifuges Iran was using for its nuclear weapons program.
“Especially for Iran, there’s not really a lot of costs involved with these activities . . . not a lot of chance that anyone is going to get extradited,” Anderson said.
Iran Briefing | News Press Focus on Human Rights Violation by IRGC, Iran Human Rights
Mar 18, 2019 Comments Off on Iran’s embrace of Iraq shows US sanctions are working
Mar 18, 2019 Comments Off on IRANIAN COMMANDER: ALL OF ISRAEL WITHIN REACH OF HEZBOLLAH’S MISSILES
Mar 16, 2019 Comments Off on Iran Inches Closer to its Goal: “Wipe Israel off the Map”
Mar 15, 2019 Comments Off on Trump officials warn more Iran sanctions are coming
Mar 19, 2019 Comments Off on U.S. Pressures Iraq Over Embrace of Militias Linked to Iran
Mar 19, 2019 Comments Off on Mike Pompeo returns to Middle East to urge action against Iran with 3 different partners
Mar 16, 2019 Comments Off on 50 IRANIAN DRONES CONDUCT MASSIVE ‘WAY TO JERUSALEM’ EXERCISE
Mar 15, 2019 Comments Off on Iran Hacked Mobile Phone of Netanyahu’s Chief Election Rival
Mar 19, 2019 Comments Off on U.S. Pressures Iraq Over Embrace of Militias Linked to IranU.S. Pressures Iraq Over Embrace of Militias Linked to Iran U.S. Pressures Iraq Over Embrace of Militias Linked to Iran The United States’ attempts to isolate Iran, including by punishing Iraqi militias and...
Mar 19, 2019 Comments Off on Mike Pompeo returns to Middle East to urge action against Iran with 3 different partnersMike Pompeo returns to Middle East to urge action against Iran with 3 different partners Mike Pompeo returns to Middle East to urge action against Iran with 3 different partners Secretary of State Mike Pompeo is...
Jul 14, 2016 Comments Off on Corps’ one hundred thousand of triggered missiles in Lebanon:An official Israel-threatening by CorpsIran Briefing: Since August 7, 1979, when Ayatollah Khomeini declared the last Friday of Ramadhan as “Quds Day”, the Islamic Republic has always tried to hold an imposing ceremony by using state resources as well as requiring people’s involvement. This year’s Quds march had fundamental...