Whodunnit? Conflicting accounts on ARAMCO hack underscore difficulty of attribution

Filed Under: Featured, Law & order, Malware

Saudi AramcoA recent report suggests that the devastating cyber attack that wiped out thousands of computers belonging to Saudi Arabia's national oil company was the work of a lone hacker - days after the US Secretary of Defense cited it as an example of a state-sponsored attack.

But what do we really know?

On October 25th, Bloomberg, citing unnamed sources "involved in the investigation," reported that clues within the Shamoon malware - used in attacks that struck 55,000 computers on Saudi Aramco's corporate network - suggest a lone attacker who released an "amateurish" virus on the network using an infected USB.

But that report runs counter to earlier reports, and the official line in Washington, D.C., which is that Shamoon is the leading edge of a coming storm of sophisticated, state-sponsored cyber attacks from America's enemies in the Middle East, Asia and elsewhere.

So who's right?

It might be worthwhile to review the Shamoon outbreak.

As we reported previously: the malware was released on Aramco's network on August 15, the day preceding one of the holiest nights of the Islamic year.

The virus spread from computer to computer on Aramco's network, wiping out critical files from the hard drives of machines it infected and displaying an image of a burning American flag on compromised hosts.

In response, Aramco shut down its entire corporate network as it went about replacing infected drives on 30,000 workstations - a job that took more than 10 days to complete.

Statement from Aramco on Facebook

The attack at first seemed like a response to an earlier incident: the compromise of systems belonging to Iran's Oil Ministry in April.

That attack, which forced the temporary closure of Iran's oil processing facility on Kharg Island, relied on a trusted insider to plant targeted malware specifically designed for the victim's network environment.

Such an attack suggests some degree of planning and sophistication. Besides, a key component of the Shamoon malware was named "Wiper," an apparent reference to the malware that was used in the attack on Kharg Island.

But the similarities to so-called "advanced persistent threat" (APT) style attacks end there.

As Sophos's own malware analysts noted in their report on Shamoon: the malware itself was a ham-fisted and "hackerish" effort that showed none of the sophistication of malicious programs like Stuxnet or Flame.

The malware appeared to be a pastiche of commercial components and publicly available code downloaded from hacker forums. It behaved in ways that were obviously suspicious to malware researchers.

TypingAmong other things, the author or authors misspelled key service names used by the malware and readily revealed the identity of its first victim - a fact that made it easy for Aramco to trace the path of infections back to a single workstation and user account.

Yes, the malware deleted files from infected hard drives and attempts to wipe the master boot record of those systems, but didn't do anything "unrecoverable," SophosLabs expert Paul Baccas reported at the time.

Things could easily have gone a different way.

Those behind the attacks also made no secret of their compromise: publishing public statements on their attack and the addresses of compromised systems online - not typical of APT-style attacks.

Beyond that, clues in the malware cast doubt on Iran as the source of Shamoon.

As the New York Times reported, the code of the malware refers to the "Arabian Gulf," rather than the "Persian Gulf" - the term of choice for Iranians.

The evidence of links to Iran in the Shamoon/Aramco attack were "largely circumstantial," Bloomberg reported, citing interviews with U.S. intelligence officials.

American flag. Image from ShutterstockThat makes it all the stranger that Defense Secretary Leon Panetta, speaking at a conference for Business Executives for National Security in New York on October 11th, called Shamoon a "very sophisticated tool" and cited the Aramco incident as evidence of the danger of a "Cyber Pearl Harbor." (A phrase, by the way, that many deem tasteless)

The Shamoon attack, Panetta said, and a subsequent attack on the Qatari firm RasGas was one of the most destructive to date and underscored both advances in malware and the increase in threats to businesses from sophisticated "cyber actors."

The sad truth may be that cyber security is now a new front in a very old Washington DC parlor game, namely: hyping the threat.

Panetta's clear goal in his speech wasn't to warn about the dangers of malware, per se, or even targeted attacks. Instead, it was to talk up the need for comprehensive cyber security legislation that's been blocked in Congress because of election-related gridlock.

In his speech, Panetta argued that private firms like Aramco don't have the resources to battle such sophisticated threats alone, he said, underscoring the need for greater public-private partnerships - but that new legislation like the pending CISPA act were needed to enable such collaboration.

As Bloomberg noted, it's difficult to distinguish the line between acts of cyber warfare and other attacks, including those by politically motivated hacktivist groups, "social malcontents, criminals and others."

We can understand that getting attribution right in cyber attacks can be difficult. But it's also true that attribution matters - and loose talk about attacks and their origins can be dangerous, especially when the USA. is making ever louder pronouncements that it is ready and able to respond to cyber attacks using all the tools at its disposal - including both logical and kinetic attacks.

Here's hoping that we learn from Shamoon, and other malware outbreaks and get it right (or at least "righter") next time.


American table flag image from Shutterstock.

, , , , , , , , , , , ,

You might like

4 Responses to Whodunnit? Conflicting accounts on ARAMCO hack underscore difficulty of attribution

  1. Skeptic · 540 days ago

    APT?

    Advanced = arrived in an email with fewer than eight spelling errors, and was a targetted attack due to actually using the name of our company in the subject line

    Persistent = we didn't notice it at first, then we continued not to notice it for ages after that, then it took us ages to sort out, as we have already said, it was a targetted attack

    Threat = did we already say, it was a targetted attack

  2. Panetta had a secondary - or perhaps primary - motive for his attribution to Iran, namely to hype the "Iranian threat".

    Under Pentagon doctrine, such attacks can be considered "acts of war" justifying a military response. The US is continually looking for an excuse to attack Iran, Israel's primary enemy in the Middle East and a supporter of all the other parties who are opposed to US and Israeli hegemony in the region - Hamas, Hizballah, Syria, etc.

    The entire "nuclear weapons program" issue is completely made up out of whole cloth and is the primary excuse being used to justify potential war with Iran. Adding in "cyberterrorism" just supports the notion of Iran as a "terrorist sponsor", despite little or no evidence of that role as well.

    Anything that can be used to demonize Iran will be used regardless of the evidence or lack of same, and despite the fact that any action Iran DOES take will be in retaliation for acts INITIATED against it by the US and Israel - who are quite proud of the fact that they started it.

    Bottom line: Anything the US or Israel does that violates international law is perfectly fine - any retaliation of any kind is "terrorism". Convenient.

  3. Turki Alharkan · 540 days ago

    But the real question is...
    if the virus was " amateurish" and released by "lone" attacker, why Aramco did not detect it from the start!

    I am sure they implemented good IDS systems, firewalls, backbone anti-virus protection servers, and isolated DMZs

    What happened to all these security technologies?!

  4. Scuba Guy · 539 days ago

    "malware itself was a ham-fisted and "hackerish" effort that showed none of the sophistication of malicious programs like Stuxnet"

    Some U. S. government agency pushing its Digital Armageddon agenda made the virus look like an intoxicated 16 year old wrote it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.