Is Iran behind cyber attacks on Saudi Arabia?

A crippling cyber attack on critical Saudi Arabian computer infrastructure could be the work of Iranian state-sponsored hackers, sources and experts have said.

Shamoon, the virus used, is not new. But if indeed Iran is behind it, the scope of the attack could signal a dramatically upgraded Iranian cyber-warfare capabilities, which in future could be used against other foes such as Israel.

The timing and backdrop could not be more telling: an escalating Russian-US showdown in cyberspace in a world where dumping of hacked classified material has become routine; and tightening of US sanctions on Iran, itself not long ago the target of suspected US-Israeli cyber operations.

In 2012, a Shamoon-linked strike on state oil company Saudi Aramco and Qatari natural gas firm RasGas prompted US intelligence officials to say they suspected a link to the kingdom's regional rival Iran.

Following the fresh attack by hackers to disrupt Saudi government computers - including an attack on Riyadh's central bank computers that was later denied - experts are again suggesting a link to Iran.

Iranian state-sponsored hackers were likely responsible for the attacks, according to Bloomberg, which cited two unidentified sources involved in ongoing investigations into the breach.

This could present US President-elect Donald Trump with a major national security challenge as he steps into the Oval Office, Bloomberg said.

"The use of offensive cyber weapons by a nation is relatively rare and the scale of the latest attacks could trigger a tit-for-tat cyber war in a region where capabilities have mushroomed ever since an attack on Saudi Aramco in 2012," added the report.

Bloomberg was referring to the incident when in a matter of hours, 35,000 computers using the same virus were partially wiped or totally destroyed, undermining state oil giant company Saudi Aramco's ability to supply 10 percent of the world's oil consumption.

So far, Iran has neither confirmed nor denied links to the latest attack.

Iranian connection

So far, Iran has neither confirmed nor denied links to the latest attack.

Twitter Post

The cyber strike did not just target banks and energy companies this time, but also attempted to breach sensitive sectors in Saudi Arabia, including civil aviation, something bound to set off alarms in Gulf capitals and beyond.

Saudi Arabia's aviation regulator, the General Authority of Civil Aviation, was targeted by a version of the powerful Iran-linked malware in mid-November, according to press reports.

But air travel, airport operations and navigation systems were not disrupted by the attack, the authority told Bloomberg.

Some experts have disputed the Iranian connection, however.

Symantec Security Response Technical Director Eric Chien told SC Media while his firm doesn't have evidence that the attack can be attributed to Iran, there is evidence that could point to the contrary.

"In the first Shamoon attack, there is a directory path string within the binary that refers to 'Arabian Gulf', which is not a term that would be typically used in Iran," Chien said.

"Further, in the recent Shamoon attack, the picture of Aylan Kurdi is placed on wiped machines and Kurdi is of Kurdish descent."

He went on to say generally, the state of Iran is not preferential to the Kurdish, however, none of the indicators mean the attacks aren't sponsored by Iran either, according to SC Media.

The preparatory work involved in the attack requires the capabilities of a nation state

Global uncertainty

Yet experts say the preparatory work involved in the attacks, all of which targeted entities in Iran's arch-rival Saudi Arabia, requires the capabilities of a nation state.

The motives behind the attack remain unclear in a global cyber-landscape marred by uncertainty.

In 2010, Iran itself was targeted in the Stuxnet virus attack on its uranium enrichment programme, widely believed to have been launched by the US and Israel.

The US considers Iran a major cyberwar adversary, one that has repeatedly demonstrated a willingness to use digital attacks, says Bloomberg.

Iran was behind months of strikes in 2012 against the websites of major US banks and the infiltration of a small dam north of New York City the following year, according to US officials, who said Iran was also behind the attack on Aramco.

One of the biggest problems with tit-for-tat attacks like these is that they unleash geopolitical uncertainty on a global scale, KoolSpan Executive Chairman Elad Yoran told SC Media.

"What that means on a national level, for the United States government [is] what thresholds trigger what kind of response against whom, and does cyber attack beget cyber attack response."

One of the key goals of cyberwarfare is maintaining plausible deniability

'We are here'

One of the key goals of cyberwarfare is maintaining plausible deniability, so it is unlikely for governments to admit culpability. 

In the absence of conclusive evidence, experts are turning to speculation.

Against the backdrop of renewed tensions over the nuclear deal and resurgent US hostility to Iran, the attack may have been even designed to look like an Iranian attack, according to James Lewis, director of the strategic technologies programme at the Center for Strategic and International Studies in Washington, quoted by Bloomberg.

Conversely, it could be an Iranian pre-emptive warning.

Tony Lawrence, chief executive officer of VOR Technology, a Hanover, Maryland-based cyber-security firm, said the attacks, as described, sounded like a display of power by Iran.

"They're saying, 'we're not here to be messed with, and if you do, we’ll retaliate'."