Posts Tagged Cyber

Insiders suspected in Saudi Arabia cyber attack

One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company last month, sources familiar with the company’s investigation say.

The attack using a computer virus known as Shamoon against Saudi Aramco – the world’s biggest oil company – is one of the most destructive cyber strikes conducted against a single business.

Shamoon spread through the company’s network and wiped computers’ hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations.

The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.

“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination.

Hackers from a group called “The Cutting Sword of Justice” claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco’s computers, and have threatened to release secrets. N o documents have so far been published.

Reports of similar attacks on other oil and gas firms in the Middle East, including in neighbouring Qatar, suggest there may be similar activity elsewhere in the region, although the attacks have not been linked.

Saudi Aramco declined to comment. “Saudi Aramco doesn’t comment on rumours and conjectures amidst an ongoing probe,” it said.

The hacking group that claimed responsibility for the attack described its motives as political.

In a posting on an online bulletin board the day the files were wiped, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain.

The Saudi interior ministry did not respond to requests for comment. The foreign ministry was not available for comment.

Saudi Arabia sent troops into Bahrain last year to back the Gulf state’s rulers, fellow Sunni Muslims, against Shi’ite-led protesters. Riyadh is also sympathetic to mainly Sunni rebels in Syria.

Saudi Arabia’s economy is heavily dependent on oil. Oil export revenues have accounted for 80-90 percent of total Saudi revenues and above 40 percent of the country’s gross domestic product, according to U.S. data.

DESTRUCTIVE Saudi Aramco, which supplies about a tenth of the world’s oil, has hired at least six firms with expertise in hacking attacks, bringing in dozens of outside experts to investigate the attack and repair computers, the sources say.

According to analysis of Shamoon by computer security firm Symantec, the way the virus gets into networks may vary, but once inside it tries to infect every computer in the local area network before erasing files to render PCs useless.

“We don’t normally see threats that are so destructive,” Liam O Murchu, who helped lead Symantec’s research into the virus, said. “It’s probably been 10 years since we saw something so destructive.”

The state-run oil company – whose 260 billion barrels of crude oil alone would value it at over 8 trillion dollars, or 14 times the market value of Apple Inc. – was well protected against break-in attempts over the Internet, according to people familiar with its network operations.

Yet those sources say such protections could not prevent an attack by an insider with high-level access.

It is unusual for insiders to be fingered in cyber attacks. Verizon Business, which publishes the most comprehensive annual survey of data breaches, said that insiders were implicated in just 4 percent of cases last year.

The hackers behind the Shamoon attack siphoned off data from a relatively small number of computers, delivering it to a remote server, the sources said. They later threatened to release that information.

Because the virus wiped the hard drives, it is difficult for Saudi Aramco to determine exactly what information the hackers obtained.

An email address and password, which the poster claimed belonged to Aramco CEO Khalid Al-Falih, was posted on a website often used by hackers to show off their achievements, this time signed by the “Angry Internet Lovers”. No sensitive Aramco files have been uploaded on that site.

Sources who spoke to Reuters said they were not aware whether the hackers had made specific demands, what they might have been or whether they were met.

The sources would not say whether the suspected mole or moles are Saudi Aramco employees or outside contractors, or whether they accessed a workstation inside Saudi Aramco’s offices or accessed the network remotely.

The Saudi interior ministry was unavailable to comment on whether anyone has been arrested as part of the investigation.

VIRUS TARGETS PCS The Shamoon virus is designed to attack ordinary business computers. It does not belong to the category of sophisticated cyber warfare tools – like the Stuxnet virus that attacked Iran’s nuclear programme in 2010 – which target industrial control systems and can paralyse critical infrastructure.

“Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems components or U.S. government agencies,” the Department of Homeland Security’s United States Computer Emergency Readiness Team said in an Aug. 29 advisory.

Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.

“All our core operations continued smoothly,” CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.

“Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus.”

It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet.

Qatar’s natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whether Shamoon was the virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.

Its parent firm Qatar Petroleum, which also owns Qatar’s other main natural gas firm Qatargas, said it was unaffected but implied that other companies had been hit.

“Qatar Petroleum has not been affected by the computer virus that hit several oil and gas firms. All QP operations are continuing as normal,” it said in an official tweet on Monday.

, , ,

Leave a comment

Iran threatens cyber-attackers with ‘teeth-breaking’

DUBAI: The United States will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran, an Iranian official said on Wednesday.

Iran has previously accused the United States and its allies of trying to sabotage its disputed nuclear programme by using computer worms like Stuxnet, which caused centrifuges at the country’s main enrichment facility to fail in 2010.

“If the Americans’ futile cyber attacks do not stop, it will face a teeth-breaking response,” the Iranian Students’ News agency quoted an unnamed cyber security official as saying. He gave no further details.

Last month, Iran said it had detected plans by the United States, Israel and Britain to launch what it said was a massive cyber strike, after diplomatic efforts to curb Tehran’s nuclear programme broke down.

Western powers believe Iran wants to produce atomic bombs, a charge Tehran denies. It says it only wants the technology to generate medical isotopes to treat cancer patients.

The United States and the European Union have imposed tough sanctions on Iran, including an oil embargo, which have severely weakened its currency and driven up inflation.

, , , ,

Leave a comment

Google search for human traffickers, drug cartels

Forget videos of cute kittens or good deals on iPads. For the past few months, Google has been quietly turning its search capabilities to something far more challenging: Internet crime.

Drug cartels, money launderers and human traffickers run their sophisticated operations online. So Google Ideas, Google’s think tank, is working with the Council on Foreign Relations and others to look for ways to use technology to disrupt international crime.

At a summit in Westlake Village, California, this week, people working to halt illicit networks, from former child soldiers to an assistant defense secretary, will be sharing ideas about cracking down on global crime.

, , , ,

Leave a comment

End of DNS malware saga

This day last week, the cyber world was speculating on how many people would lose their access to websites after the much-publicized shutdown by the FBI of rogue servers set up by fraudsters. The criminals had unleashed the DNS Changer malware over many years that changed the DNS setting of infected computers thereby redirecting users to fake sites instead of the real ones.

So what happened after the FBI shut down the rogue servers on July 9 at 12.01 am? How many people lost access to internet? In India, 19,642 networks were known to be infected, according to DNS Changer Working Group.
It’s impossible to accurately put a figure on internet disruption caused by the malware. All users do encounter break in connectivity for one reason or the other. Normally, it comes back on its own after a few minutes. But when the disruption is prolonged, users call up their service providers, who as part of the solution advise customers to reset their DNS settings. So it’s difficult for any user or service provider to accurately say that the internet disruption was caused by the DNS malware.

However, Trend Micro’s senior threat researcher Feike Hacquebord, going by data on infected networks, estimates that about 3 lakh users around the world would have experienced disruption. He says a much bigger disruption happened in 2008 when web hosting provider Atrivio (which was hosting the data centre of the DNS malware creators) had gone down.
The cyber world was spared of the “doomsday” that some security-paranoid netizens predicted. There are many reasons. A major one is the general awareness created over the past many months about the malware, and the planned shutdown. Security firms, companies like Google and Facebook, and service providers collaborated with other stakeholders in the DNS Changer Working Group to clean up the cyber mess. They sent out warning notes and tips to users whose computers had been infected.

Another reason is that security solutions have either blocked DNS Changer malware intrusion attempts or removed the malware from infected computers. Kaspersky Labs says that this year alone, it detected 1,01,964 attempts by DNS Changer malware to infect its users.

So, in all probability, the curtains are down on one of the longest-running and most widespread cyber crimes we have seen.

, , , , ,

Leave a comment

Cyber experts warn of ‘intelligent weapons’

TALLINN: Quick advances in cyber war technologies could soon lead to a new generation of so-called “intelligent cyber weapons” which top global IT defence experts warn could be virtually unstoppable.

“Rapid developments in cyber (technology) might lead to intelligent cyber weapons that are hard to control and it’s practically impossible to use formal methods of verifying the safety of intelligent cyber weapons by their users,” Enn Tyugu, IT expert at Tallinn’s NATO Cyber Defence Centre said at its fourth annual conference Thursday.

He also warned that programmes developed to counter attacks by malwares like Stuxnet can act independently and could possibly themselves spark conflicts.

“They are quite autonomous, and can operate independently in an unfriendly environment and might at some point become very difficult to control… that can lead to cyber conflict initiated by these agents themselves,” Tyugu said.

“Stuxnet and Flame have shown the side of cyber of which the average user does not think of but which will bring a lot of challenges to all experts who deal with critical infrastructure protection issues – IT experts, lawyers, policy makers,” Ilmar Tamm, Head of the NATO Cyber Defence Centre told reporters on Thursday.

“The number of cyber conflicts keeps rising and it is important to understand who the actors in these events are, how to classify these events and participants, and how to interpret all that,” Tamm said, noting Western leaders have been slow to become aware of even existing cyber threats.

Experts at the conference noted that both China and Russia have significantly upgraded their cyber-defence capabilities in recent years by creating new IT units.

“But the most powerful weapon today in cyber space is still the propaganda, the chance to use the Internet to spread your message,” Kenneth Geers, US cyber defence expert told some 400 top IT gurus attending the meeting Thursday.

Keir Giles, head of Oxford University’s Conflict Studies Research Centre, noted that some Russian leaders seemed to “sincerely believe that the recent opposition rallies after the presidential elections in Russia were initiated by the US in cyberspace.”

, , ,

Leave a comment