Saudis warn of new destructive cyberattack that experts tie to Iran

Jenna McLaughlin
·National Security and Investigations Reporter
Updated

Saudi authorities detected a new destructive cyberattack suspected of coming from Iran on Dec. 29, the same day the U.S. military struck targets controlled by Iranian-backed proxies in retaliation for a rocket attack that killed an American contractor the previous Friday.

Officials in Riyadh, who nicknamed the malware “Dustman,” did not directly attribute the malicious attack to Iran, according to a Saudi technical report obtained by Yahoo News. However, according to experts who reviewed the technical report and analyzed possible motivation and similarities to past attacks, Tehran is the most likely culprit.

The “wiper” attack, which was identified by the Saudi National Cybersecurity Authority, used malware to erase digital data belonging to unidentified targets in the Middle East.

Data wipe attack on Saudi Arabia by Iran
Photo illustration: Yahoo News; photos: AP (2), Getty Images (2)

While the Dustman malware attack came before the Jan. 2 U.S. strike that killed the commander of the Islamic Revolutionary Guard Corps Qassem Soleimani, it underscores larger concerns about Iran’s cyber capabilities. After Soleimani’s death, the Department of Homeland Security warned against the danger of increasing Iranian cyberattacks — a cheap, deniable way Tehran could retaliate without provoking an all-out shooting war.

The Dustman malware, and other prior attacks, reveal the extent of the low-level, sometimes destructive cyber warfare that Iran has waged in the Middle East for some time, and provides clues as to the tactics and capabilities Iran might deploy in the future.

According to the Saudi researchers, the malware is a variant of a similar strand discovered by IBM’s threat intelligence team X-Force called “ZeroCleare,” detailed in a December 2019 report.

“This activity has been alive and well in the Middle East,” said John Hultquist, director of intelligence analysis for cyber threat intelligence firm FireEye, in an interview with Yahoo News. Iran has been maturing its cyber capability over the years, but “we’ve been watching them,” Hultquist said.

While the Department of Homeland Security acting Director Chad Wolf tweeted there’s “no specific, credible threat against the homeland,” U.S. officials are monitoring for potential cyberattacks very closely, given Iran’s track record.

“The real question is whether or not they will shift this activity to the United States,” Hultquist said.

According to the Saudi National Cybersecurity Authority technical report, an attacker, likely a “nation-state,” penetrated a Middle Eastern victim’s network several months prior to detection. Then, on Dec. 29, the attacker “detonated” the payload with “some kind of urgency,” wrote the authors.

The Saudi investigators wrote that wiper attacks are typically “tested before being deployed,” but this particular malware was compiled only “minutes” prior to being executed­ — an unusually fast turnaround. One cybersecurity researcher who requested anonymity to discuss the sensitive details of the attack suggested the speed of the attack “shows intention and priorities” and could indicate that the invaders were worried they’d be caught, or “the wiper was deployed as retaliation” for the U.S. strikes on Jan. 29.

However, another cybersecurity researcher studying Iran cautioned that there’s danger in linking physical events with immediate digital responses, and noted that compiling the malware shortly before deploying it might not indicate how long it took to develop or why it’s executed at a specific moment. It’s possible IBM’s earlier report on ZeroCleare made the attackers worried about losing access, they continued.

It’s unclear how long the malware has been active, said one cybersecurity researcher who requested anonymity to discuss preliminary research. The researcher, who is studying the malware, suggested it may have been active as early as March.

The Saudi Arabian government did not immediately respond to a request for comment on the report.

The attack, according to the Saudi researchers, had some similarities with the “Shamoon” malware, an infamous virus linked to Iran in 2012 that was deployed and “bricked” — or wiped out — 30,000 work-stations at Saudi state oil company Saudi Aramco. However, this new malware was extremely similar to ZeroCleare, suggesting it was some kind of variant of the malicious code uncovered by IBM earlier in December rather than a completely new style of attack.

The attackers may have taken advantage of an unpatched vulnerability in Virtual Private Network software, obtaining high-level credentials within the network and bypassing security protocols to launch the attack. The attack isn’t highly sophisticated, commented one security expert who frequently works with U.S. Cyber Command and requested anonymity to discuss their observations, but “bare bones” solutions can sometimes be effective.

According to IBM’s X-Force, the company’s threat intelligence team, the “ZeroCleare” malware has impacted the industrial and energy sectors in the Middle East, and was most likely unleashed by multiple state-sponsored groups in Iran. “ZeroCleare was spread to numerous devices on the affected network, sowing the seeds of a destructive attack that could affect thousands of devices and cause disruption that could take months to fully recover from,” wrote IBM’S researchers in a detailed December report.

Additionally, according to X-Force, the number of destructive attacks IBM helped companies respond to skyrocketed in the last year, increasing 200 percent over the last 6 months of 2019. Attackers can have “military objectives” to “deny access to, degrade, disrupt, deceive, or destroy the device/data” or potentially economic reasons, wiping the data only when victims fail to pay the attackers, according to IBM.

Iranian hackers developed their destructive “wiper” style attacks after a U.S.-Israeli cyberattack on Iran’s centrifuges at Natanz enrichment facility was discovered in 2010. Over the summer, the Department of Homeland Security’s top cyber official, Chris Krebs, warned of a “recent rise in malicious cyber activity directed at United States Industries and government agencies by Iranian regime actors and proxies,” including through wiper attacks.

The U.S. decision to kill Soleimani has led to speculation as to what Iran might do to strike back. Cybersecurity researchers are divided on how Iran might incorporate its digital skills into a response, including whether or not Iran’s capabilities are advanced enough to cause lasting damage to U.S. infrastructure or industries.

“I don’t think they’re going to cause blackouts,” said FireEye’s Hultquist, of Iran’s capabilities.

However, that doesn’t mean Iran can’t do damage, according to Hultquist, who speculated that Iran might target U.S. businesses, which would be a “public incident that affects peoples’ lives.”

Another dangerous possibility, Hultquist told Yahoo News, would be Iran weaponizing its proven digital espionage and surveillance capabilities to track people in real time, as well as ships traveling in the region or military movements. “They’ve been slowly gaining access to telecom providers, travel companies,” he said, and if Iran used those capabilities to target individuals,“it’s a very real terrorism threat.”

Another less likely possibility would be for Iran to target an industrial control system or another vulnerable piece of infrastructure within the United States, but that would require a long-planned operation and pre-existing access to those systems, rather than a quick, retaliatory strike.

That sort of attack is possible, but less likely right now, according to a cybersecurity researcher who requested anonymity to discuss sensitive details. “Offense is cheap and easy but real operations take time,” said the researcher. “If they do pull off something at a power or water or gas utility, it will likely be from some preexisting access we missed.”

Iran’s capabilities are fairly well known, and details of Iranian cyber operations were leaked or published online over the last year, shining a light on their tools and tactics. U.S. Cyber Command has published multiple examples of Iranian-linked malware to open source websites, and an anonymous source posing as a former Iranian cyber operator dumped details online about the nation-state’s digital tools last April.

While Iran’s cyber capabilities are ambitious, they are not, according to the cybersecurity researcher, a major threat to Western infrastructure. “Based on their tooling, and all the intel I read,” said the researcher, “their capabilities do not match their aspirations.”

_____

Read more from Yahoo News: