Michael Riley , Glen Carey , and John Fraher
Multiple attacks emanated from Iran, digital evidence suggests
Mid-November breaches wipe data at Saudi air authority, others
State-sponsored hackers have conducted a series of destructive attacks on Saudi Arabia over the last two weeks, erasing data and wreaking havoc in the computer banks of the agency running the country’s airports and hitting five additional targets, according to two people familiar with an investigation into the breach.
Saudi Arabia said after inquiries from Bloomberg News that “several” government agencies were targeted in attacks that came from outside the kingdom, according to state media. No further details were provided.
Although a probe by Saudi authorities is still in its early stages, the people said digital evidence suggests the attacks emanated from Iran. That could present President-elect Donald Trump with a major national security challenge as he steps into the Oval Office.
The use of offensive cyber weapons by a nation is relatively rare and the scale of the latest attacks could trigger a tit-for-tat cyber war in a region where capabilities have mushroomed ever since an attack on Saudi Aramco in 2012.
Unlike the Aramco attack or the one by North Korea against Sony Pictures in 2014, the latest was perpetrated by detonating a cyber weapon inside the networks of several targets at once, the people said. Concerns over a broader campaign set off a search in computer networks throughout the Gulf for more traces of the digital bomb.
No one was available to comment at the Iranian foreign ministry or at the Iranian presidency’s media relations department. Wednesday was a public holiday and Thursday is the start of the Iranian week-end.
The ferocity of the attacks appears to have caught Saudi officials by surprise. Thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, erasing critical data and bringing operations there to a halt for several days, according to the people familiar with the investigation.
Air travel, airport operations and navigation systems weren’t disrupted by the attack, the authority said in response to questions. The attack affected office administration systems only, it said.
The people familiar with the probe didn’t identify the other targets but one said they were all inside Saudi Arabia and included other government ministries in the kingdom, where information is highly controlled. Extensive damage occurred at four of the entities but the virus was halted by defensive measures at the other two.
The U.S. considers Iran a major cyberwar adversary, one that has repeatedly demonstrated a willingness to use digital attacks. U.S. officials have said Iran was behind months of strikes in 2012 against the websites of major U.S. banks and the infiltration of a small dam 20 miles north of New York City the following year. They said Iran was also behind the attack on Aramco, the world’s largest oil company, which destroyed 35,000 computers within hours.
Iran itself has been the victim of cyberstrikes, with experts saying that the U.S. and Israel were behind an attack that used the so-called Stuxnet virus to disable operations at an Iranian nuclear enrichment plant at the start of the decade.
Tensions appeared to ease after the Iranian government reached a nuclear-nonproliferation deal last year with five members of the United Nations Security Council, an accord shepherded by the U.S.
As a candidate, Trump said little about cyber security but he has taken a consistently hard line on relations with Iran, including saying he would tear up the nuclear accord.
Investigators piecing together the computer destruction are trying to determine a motive for the attacks, which occurred between Trump’s election and key OPEC meetings, the people said.
“Anyone who did this attack knows it has implications for the nuclear deal,” said James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.
Lewis was responding to a description of the incident but didn’t have direct knowledge of it. He said the attacks“could be a shot over the bow by Iran” or possibly the work of another country mimicking Iran in hopes of derailing the accord with a provocative act.
So far, investigators have found no evidence to suggest a country other than Iran was involved in the attacks, the people briefed on the probe say. However, it’s also possible that attacks of these kind can be mimicked to make them look like they come from a particular country.
“Some of these are signaling operations, testing the threshold. Is the response going to be just a speech or is it going to be something more?” asked Melissa Hathaway, a senior adviser at Harvard University’s Belfer Center and former cyber official in both the Obama and Bush administrations. Like Lewis, she spoke generally and without direct knowledge of the Saudi incident.
“The next president and his team will have to grapple with these questions probably in the first month, maybe even the first 72 hours,” she said.
The attacks were conducted with the same malware, known as Shamoon, that devastated Saudi Aramco in 2012. Although hackers usually add enhancements to malware to advance its capabilities and make it harder to detect, they used exactly the same file as in the Aramco incident, the people familiar with the investigation said.
Shamoon overwrites files and renders the infected computers inoperable by destroying the master boot record. It spreads quickly throughout a network, causing destruction like the digital version of a wildfire.
In a similar move in 2014, Iranian hackers managed to destroy most of the computer network of Sheldon Adelson’s Sands Corp., after the casino magnate angered Iranian leaders by publicly suggesting the use of nuclear weapons against the country. The U.S. publicly cited Iran as the culprit.
Concerned there might be additional targets, investigators working the latest case began alerting governments and companies last week. They quietly distributed digital indicators that can be used to determine if the Iranian malware is hiding in other networks. The first samples of the malware used in the latest attack were uploaded on Nov. 16, likely indicating the date of the first attack, according to records from VirusTotal, a malware library.
Though he in not involved in the investigation, Tony Lawrence, chief executive officer of VOR Technology, a Hanover, Maryland-based cyber-security firm, said the attacks, as described, sounded like a display of power by Iran.“They’re saying, ‘We’re not here to be messed with, and if you do, we’ll retaliate.’