Who's Responsible for the Saudi Aramco Network Attack?

Tuesday, August 28, 2012

Jeffrey Carr

296634767383f056e82787fcb3b94864

At least three different hacker groups have claimed responsibility for the August 15th, 2012 attack against Saudi Aramco's network which damaged 2000 servers and up to 30,000 workstations but which failed to impact the segregated production and exploration networks.

Only two of the three groups are named and neither of the two have an Internet history associated with their names.

The first, which calls itself the Arab Youth Group, uses terms like "evil Al-Saud" and "Al-Saud traitors" and specifically refers to Lebanon and the Forqan War (aka Operation Cast Lead 12/2008-1/2009) which at least one Iranian hacker crew - the Ashiyane Security Group - participated in.

The second hacker group call themselves the Cutting Sword of Justice. They posted multiple Pastebins containing proof of the scale of the attack in the form of compromised IP addresses of servers. They also posted the start date and time which corresponds to the code string found in Shamoon. Their posts lacked the religious phrasing of the Arab Youth Group and emphasized "tyranny" and "oppression" instead.

The third hacker group is the one which announced a second attack on 25 Aug 2012 at 2100 GMT in order to prove that they didn't need an insider's help. That attack doesn't appear to have been successful.

The Cutting Sword of Justice specifically referred to them as a separate group and their phrasing and word choice is different from that used by the Arab Youth Group. This third group seems to be a late comer and can be dismissed as an active participant in the attack.

And while the Arab Youth Group and Cutting Sword of Justice have claimed responsibility, the timing and circumstances of the attack elevate it beyond either of those groups ability to conduct it alone.

imageIran and Hezbollah

According to the analysis that's been done on Shamoon by Kaspersky Labs, it appears to be related to the Wiper virus that struck Iran's oil ministry last April.

None of the security labs have a copy of Wiper but since Iran was the victim, it would be in the best position to produce a similar or reverse-engineered version that Kaspersky has named Shamoon.

Hezbollah, a Shi'a militant group based in Lebanon receives financial and political support from Iran. Since Hezbollah members include hackers, and since Iran's decision to recruit hackers to join the ranks of its Basij paramilitary corps in late 2010, Hezbollah's possible involvement in this attack against Saudi Aramco must be properly evaluated.

In fact, a Saudi Arabian minister in 2007 was quoted in a U.S. diplomatic cable in which he expressed his fear that Saudi Aramco had some employees who were members of Hezbollah and who were in a position to disrupt oil production.

Lebanese Shi'a Questioned

According to this Arabic website, up to 70 Aramco employees, including Lebanese Shi'a, are being investigated for involvement in the attack. There's not enough information to know if they were investigated because their religious beliefs made them suspect or because there was evidence connecting them to the attack. Knowledgable sources have told me that this number of suspects has been reduced from 70 to 20.

Tension between Iran and Saudi Aramco Over Oil Embargo

The stated motivation for this attack by the Arab Youth Group and Cutting Sword of Justice is a nebulous religious objection which completely fails to acknowledge recent events related to the oil embargo placed upon Iran by the U.S. and European Union that went into effect on July 1, 2012.

Is it just coincidence that these groups attacked now? More likely, in my judgment, is that this attack represents retribution for Saudi Arabia's Foreign Minister Prince Saud al-Fisal saying that talks with Iran are a waste of time and that the oil embargo should proceed as planned.

To add fuel to this fire, on July 20 India's Mangalore Refinery & Petrochemicals Limited "bought Azeri, Saudi and Emirati crude to replace imports from Iran in July 2012 and it may halt purchases from Tehran altogether as sanctions make shipments more difficult."

Iran responded with a threat to close the Strait of Hormuz if sanctions weren't revoked however that same threat has been made many times before and Iran has never carried it out. A much more likely form of retribution, and one that's considerably safer for Iran, is to sponsor a damaging network attack against Saudi Aramco through a proxy like the Arab Youth Group.

image

Summary

Iran is at the center of every significant aspect of this attack.

It is the only nation with access to the original Wiper virus from which Shamoon was copied.

Iran is angry at Saudi Aramco for off-setting Iran's drop in oil production due to the Embargo that started 45 days prior to the attack which gives it motive.

It supports a militant organization (Hezbollah) that uses hackers and who allegedly has members employed at Saudi Aramco which gives it opportunity and access.

While both the Arab Youth Group and the Cutting Sword of Justice involvement gives it the appearance of a mere hacktivist attack, I think that a careful analysis of the known facts points to a state-sponsored attack by Iran that was crafted to look like the work of hacktivists.

Perhaps Iran has learned something from Russia about the strategy of misdirection via the government's recruitment of patriotic hackers.

Possibly Related Articles:
19834
Network->General
Information Security
malware Iran Cyberwar Attacks hackers breach Shamoon Wiper Saudi Aramco
Post Rating I Like this!
Default-avatar
Michael Yardley What evidence do you have for all this?Some Google search? No members of anonymous in Saudi Arabian know anything about it?
1346279962
296634767383f056e82787fcb3b94864
Jeffrey Carr For all of what, specifically? For the hacker groups claiming credit? (see links) For the possibility of Hezbollah's involvement (see links) For Iran's threatening Saudi Arabia not to increase their oil production? (see links) And no one that I know of has claimed that Anonymous was involved in any way.
1346283701
Default-avatar
Dsfaga Fsagae Just like in recent years, Apple will close the iTunes Connect portal for developers all around the Christmas holidays. Informed about this fact, the manufacturer of Cupertino currently by email. From December 22 to December 29, 2014 makes iTunes Connect vacation.
itunes gift card generator
1417004292
Default-avatar
f23r23f 2t24t42 This is the proposal made Tuesday morning Mr. Rodrigue Beauchesne, representations on sentence Serge Pomerleau, Denis Lefebvre and Yves Denis, convicted of gangsterism, conspiracy and drug trafficking on October 9.

http://www.pre-hackedgames.net/3ds-emulator/
1417008309
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.