On Monday, a number of Saudi governmental sites were subject to critical cyber-attacks, where hackers used an updated hybrid version of ransomware and a virus named “Shamoon” to breach the websites of the Ministry of Labor, the Industrial Development Fund, and a number of companies, most prominently a chemical exporter.
Experts dubbed the malware “Shamoon 2”, and the Communications and Information Technology Commission (CITC) issued a warning on its Twitter account, calling on people to be wary of the new iteration of the same virus that struck Saudi companies in 2012, and resulted in grave financial losses.
The malware completely deactivates all computer devices by replacing basic programs, making it impossible to restart the device. Regarding the ransomware, the National Information Security Guidance Center at the CITC advised to delete the malware using an antivirus protection program and the tools offered by antivirus protection companies to find a program to decrypt the files. Users were also advised to seek technical assistance from an antivirus protection company. In all cases, the center advised against paying the ransom.
It is worth noting that this was not the first attack on Saudi governmental and private company sites. Hackers have launched numerous attacks in the kingdom since 2012. We recall some of the most prominent ones.
The Saudi Arabian Monetary Agency: Was or Wasn’t it Attacked?
On December 2, 2016, Bloomberg reported that the Saudi Arabian Monetary Agency (i.e. the central bank) had been hacked in the second half of November. However, the agency denied any breach of its information systems in a statement published following the spread of the news.
“The institution has an effective protection system, and constant upgraded surveillance for these types of threats,” the statement read.
Bloomberg’s report was based on two sources who stated that the Monetary Agency’s systems were damaged by the cyber attack, which targeted a number of government authorities, as well as vital facilities. The most prominent of these were the transportation sector, and the General Authority of Civil Aviation, according to Patrick Wardle, Director of Research at Synack, an internet security company. He also stated that the “Shamoon” virus was used for the attack.
Moreover, the Saudi Press Agency confirmed at the time that Saudi government agencies and vital facilities had come under attack, “aiming to disrupt all servers and devices, thereby affecting all offered services.” It further reported that the attackers had taken over the computer systems’ data, and had implanted their malware.
Has Iran shifted its tactics against Saudi Arabia from proxy warfare to cyber warfare?
Iran is named as the prime suspect in the repeated attacks on Saudi agencies by the virus "Shamoon"
Investigations revealed that on November 17, the malware began erasing the data archives stored in Saudi agencies’ computers. All the files had been replaced by the picture of the Aylan Kurdi, Kurdish Syrian three-year-old boy whose body had washed up on the shores of a Turkish beach in September 2015, after the boat he and his family were on capsized on its way to the Greek island of Kos, to escape the siege on the Syrian town of Kobani.
The malware took control of the computer devices, and prevented them from restarting.
The August 2016 Hack
Yet again, in August 2016, a number of Saudi government agencies and vital facilities, as well as private-sector companies, fell victim to a cyber attack last August. The Ministry of Interior confirmed on its Twitter account at the time that “the foreign cyber attacks that have targeted the kingdom’s networks occurred through the exploitation of a hole in the email servers.”
The National Center for Cyber Security Technology revealed at the time that governmental sectors were the most highly-targeted institutions, comprising 39% of the attacks. However, the attack targeted other institutions as well, with the media sector following with 23% of the attacks, followed by the telecommunications and information technology sector with 15%, and finally the electricity and water sector, with 8%. The attack was ranked as a Grade Two threat, due to the targeting of more than one institution, as well as the nature of the methods involved.
The April 2015 Attack on Al-Hayat Newspaper
The website of Saudi Al-Hayat newspaper, which is headquartered in London, was breached on April 13, 2015, in a targeted attack that crashed the website for several hours. It only went back online the next morning.
The hackers identified themselves as the Yemen Cyber Army, using a picture of Hezbollah’s Secretary General Hassan Nasrallah with the message, “Prepare your bomb shelters,” and the logo of the Yemeni Ansarullah movement, better known as the Houthis.
However, the website administrators replaced the picture a few minutes later with the message: “Website under maintenance due to an attack.”
Editor in Chief of Al-Hayat Ibrahim Bady confirmed to Reuters that the newspaper was eventually able to regain control of the website, noting that they deleted the photos and restored their files.
The 2012 Hack: Aramco Loses Millions
The first attack using the “Shamoon” virus targeted a number of Saudi companies, most prominently the oil giant Aramco in 2012. The hack deactivated 35,000 of the company’s computers in a matter of hours. The hack bled the company out of tens of millions of dollars, after oil production was subsequently suspended across four continents.
Former US Secretary of Defense Leon Panetta described the attack as one of the most critical attacks on a private business.
The hackers left an image of a burning US flag on the devices that they hacked.
Prime Suspect: Iran
US cybersecurity firm CrowdStrike has stated that the hackers behind the 2012 “Shamoon” attack were likely working on orders from the Iranian government, and suspecting the same of the more recent attacks.
US security solutions company Palo Alto Networks announced that in November it monitored a resurgence of destructive cyberattacks tied to the “Shamoon” attacks that began in 2012. “Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign,” the company blog read.
Has Iran shifted the tactics of its proxy war to the electronic realm over the past few years? In light of the revolutionary economic overhaul expected from the Saudi Vision 2030, it may be that hackers are the most effective tool to deal decisive blows on a bilateral front, both to governmental institutions and to the private sector.