Global Issues: Saudi Insider Likely Key to Aramco Cyber-Attack
Saudi Insider Likely Key to Aramco Cyber-Attack
The alleged Iranian hand behind the attack, first reported Saturday by the Wall Street Journal, was described as one of several forays by the increasingly sophisticated “Iran’s Cyber Army” whose existence first surfaced in 2009, according to experts here.
One key element of the Aramco attack, however, has not yet been reported. Two former senior CIA officials told IPS that it appears to have been carried out with the help of personnel inside Aramco. They said that the Saudi regime has been detaining and questioning staff with access to the affected work stations.
The fact that the work stations were not connected to the Internet lends credence to reports that the attack was facilitated by a Saudi Aramco employee.
“The attackers knew what they were doing, and it is clear they had inside knowledge. They had people inside that could move about,” according to one of the sources who asked not to be named.
Both said that one or more operators were involved.
Saudi Aramco has hired at least six firms with expertise in computer hacking, as well as outside experts, to repair the computers and to try and identify the perpetrators, according to the former CIA officials.
The virus is being called “Shamoon” after a word in its code, according to New York Times technology blogger Nicole Perlroth, who wrote in late August that key data on three-quarters of the company’s office computers were overwritten and replaced with the image of a burning U.S. flag, an account confirmed by U.S. officials here.
U.S. intelligence sources stressed that the damage was limited to those computers. Software used for the company’s massive technical operations, including pumping operations, remained untouched.
The attack is believed to have been fueled in part by sectarian, as well as political differences.
Richard Stiennon at IT-Harvest, a company that tracks evolving cyber threats, told IPS in an interview that Iranian-trained hackers probably launched the attack “in deep wrath” at the long-time mistreatment of the Shiites in Saudi Arabia’s Eastern province where most of Aramco’s operations are based.
Unrest among the Shia Muslims in the region has increased sharply since Riyadh sent troops into Bahrain 18 months ago as part of a crackdown by that sheikhdom’s Sunni monarchy against the Shiite majority and other opposition forces.
Syria’s civil war – which pits the Iranian-backed Alawite-led government of President Bashar Al-Assad against a mainly Sunni insurgency supported by Saudi Arabia, Qatar and Turkey – has also stoked sectarian tensions around the region. An offshoot of Shi’a Islam, Alawites are considered heretics by conservative Sunnis who dominate the Saudi kingdom.
Saudi Arabia also provided support to Sunni tribes in Iraq after a predominantly Shi’ite government took power there following the 2003 U.S. invasion.
The attack on Aramco, as well as an August attack against a Qatari natural gas company – now being attributed to Iran – are also seen as retaliation for the Stuxnet virus that was reportedly developed jointly by the U.S. and Israel as part of a larger effort designed to disrupt Iran’s nuclear programme. Stuxnet destroyed up to 1,000 centrifuges at the Natanz enrichment facility.
Recent cyber-attacks on major U.S. bank websites have also been blamed on Iran, whose economy has been sent into a tailspin in major part due to the effectiveness of far-reaching U.S. and European economic sanctions that are also designed to curb Iran’s nuclear programme.
A small group of hackers, numbering about 100 operatives and calling themselves “The Cutting Sword of Justice”, claimed responsibility for the attack. Reports of similar attacks on other oil and gas firms in the Middle East, including in neighbouring Qatar, suggest that Iran is positioning itself as a regional cyber power.
Iran’s Cyber Army (ICA) began as a group within the Iranian military, according to Paulo Shakarian, an expert at the West Point Military Academy and co-author with Andrew Ruef of a book called “Introduction to Cyber Warfare: A Multidisciplinary Approach”. Shakarian said the ICA uses equipment and tactics far less potent than more advanced cyber powers, including the U.S., Israel, Russia and China, but the group is fast learning more effective tactics.
If the alleged Iranian hackers used one or more insiders to launch the Shamoon virus, they might have been inspired by perhaps their most determined enemies.
The Stuxnet virus that damaged Iran’s nuclear programme was allegedly implanted by an Israeli proxy – an Iranian, who used a corrupt “memory stick.32″, former and serving U.S. intelligence officials said. They said using a person on the ground would greatly increase the probability of computer infection, as opposed to passively waiting for the software to spread through the computer facility.
“Iranian double agents” would have helped to target the most vulnerable spots in the system, one source said.
According to James Lewis, a cyber expert at the Center for International and Strategic Studies (CSIS), here, “The memory stick is the perfect tool. It can be left behind in a men’s room or left in a parking lot, and someone will at last plug it in and set the virus running. It’s human nature.”
“It’s basically a kind of low-grade cyber war,” said Vincent Cannistraro, former head of the CIA’s Counter-Terrorism office.
Israel has allegedly used cruder methods than Stuxnet to attack Iran’s nuclear programme, including the assassination of several scientists associated with it.
A senior State Department official said last month that such attacks were considered “terrorism” by Washington, which denounced the killing last January of a deputy director of the Natanz facility in unusually vehement terms. The same official insisted that the U.S. had no information as to who was behind the assassination, however.
Former and senior U.S. intelligence officials believe Israel has used recruits from the Mujahedeen-e-Khalq (MEK) for the assassinations.
“The MEK is being used as the assassination arm of Israel’s Mossad intelligence service,” said Cannistraro. He said the MEK is in charge of executing “the motorcycle attacks on Iranian targets chosen by Israel. They go to Israel for training, and Israel pays them.”
In his remarks last week, Panetta did charge Iran with responsibility for the attacks on Aramco, but he described them as “probably the most destructive attack that the private sector has seen to date.”
After the existence of Stuxnet was disclosed in June 2010, many international legal and exports noted that it would likely set an unfortunate precedent that could blow back against its creators.
*Richard Sale is author of the 2009 book, ‘Clinton’s Secret Wars: The Evolution of a Commander in Chief”.