China and its Discontents

Was Iran Behind the Cyberattack on Saudi Aramco?

leave a comment

I can’t believe I missed this major story earlier this month: “hacktivists” attacked Saudi Aramco’s 30,000 computer-network. What is surprising is the method–instead of the standard Denial of Service attack (DoS), they managed to introduce malware onto Aramco systems. Even more interestingly, however, was the statement released by the purported originators of the attack, “Cutting Sword of Justice”:

It said the company was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain. Saudi Arabia sent troops into Bahrain last year to back the gulf state’s Sunni Muslim rulers against Shiite-led protesters. Riyadh is also supporting Sunni rebels against the Syrian government of President Bashar al-Assad.

The group blames Saudi Arabia for interfering in Bahrain and Syria. In a basic geopolitical analysis of the Middle East, who would be the only player angry at Saudi Arabia for those interventions? Iran and its client terrorist network, Hezbollah. They are the only actors who have something to lose when the Sunni monarchists in Bahrain hang onto power or if Bashar al-Assad falls from power.

Furthermore, Jeffrey Carr gave a stunning explanation at InfoSec Island on why it’s not only plausible but likely Hezbollah and the Iranians were behind the attack: the malware used in the Saudi Aramco attack, Shamoon, is likely a reverse engineering of the Wiper virus which hit the Iranian oil ministry in April. Only Iran and its attackers (likely Israel or the U.S.) had access to the Wiper Virus. In addition, Hezbollah reportedly has covert members embedded in Aramco as employees who could carry out such an attack. Finally, Carr notes, the Iranians have more obvious motives than revenge or religion as cited in the public “hacktivist” statements–Saudi Arabia supported the recent US-EU oil embargos on Iran and replaced oil imports from Iran with others.

This is a disturbing trend, and inevitable since U.S. and Israeli-sponsored cyberattacks on Iran came to light. Cyberattacks will continue to escalate among Iran, Russia, China, the West, Western allies, and unaffiliated groups, untouched by any sort of international legal regulatory framework. Such activity will become, and probably already is, the normal state of affairs. Given this situation, it is impossible to predict when a cyberattack will result in an “overt,” conventional military response, as one almost certainly will in the future. This is one of the biggest strategic uncertainties facing the future–and unfortunately, it doesn’t look like any actor wants to or can fix it.

UPDATE: Qatar’s RasGas has also just been a victim of cyberattack. It’s unclear at this point if any group has taken responsibility, or if it was the same virus. My bet is that Iran and/or Hezbollah are also responsible.

UPDATE 2: The Wall Street Journal confirms that the virus used in the RasGas cyberattack was also Shamoon.

Written by Will

August 30th, 2012 at 4:46 pm