Overview of Cyberattack on Saudi Organizations
Total Page:16
File Type:pdf, Size:1020Kb
Overview of Cyberattack on Saudi Organizations Published by: Naif Arab University for Security Sciences JISCR https://journals.nauss.edu.sa/index.php/JISCR Overview of Cyberattack on Saudi Organizations Salem Alelyani, Harish Kumar G R King Khalid University, Saudi Arabia [email protected], [email protected] Abstract The beginning of Twenty first century saw devices to internet, network and computer attacks a new dimension of security, the cybersecurity. are becoming pervasive in today’s world. Any Developed countries have started exploiting the computer connected to internet is under threat of vulnerabilities of cybersecurity to gain supremacy viruses, worms or attacks from hackers. These and influence over the rival countries. Hence, over threats or attacks can harm home users, business the past decade, malware, i.e., malicious software, users, corporate users or entire country’s security. has become a major security threat in regards to the Barack Obama, the 44th president of US has stated cybersecurity. The Kingdom of Saudi Arabia (KSA) that [1], the economy of the country depends on has become a major target of cyber conflicts due to cyber security. Thus the need to combat with these increased economic activity, digital transformation, computer and network attacks has turn out to be a high rate of technology adoption between citizen major issue of concern. and organizations and rise of the oil and gas A security threat is a potential cause of industry. However, unfortunately, there is a lack of unwanted event, which may result in damage research or scientific investigation of cyberattacks to systems or networks. Wireless networks are on KSA. This fact motivated us in conducting exposed to various threats and attacks. Out of this work. This paper presents, a case study of which malware attacks pose serious threats to attacks on Saudi Organization by malwares. We the wireless networks exploiting the fundamental concentrate on two particular malwares: Shamoon limitations of wireless network [2], such as limited and Ransomware. The timeline of attacks by these energy, dynamism in topology due to mobility and malware, also presented, along with their structures unreliable communication. and methodologies in order to shield ourselves In 1988, Morris worm caused $10 to $100 against similar attacks in the future. million damage on internet with 60,000 connected computers. Within the period of five years, 4,00,000 I. Introduction computers got affected by Blaster worm. Anti- With the increase in number of connected Spyware in 2011, attacked Windows 9x, 2000, XP, Corresponding Author: Salem Alelyani Keywords: Cybersecurity, Cyberattack, Insider Threat, Malware, Email: [email protected] Ransomware, Shamoon. dio:10.26735/16587790.2018.004 42 Salem Alelyani, Member, IEEE and Harish Kumar G R JOURNAL OF INFORMATION SECURITY AND CYBERCRIMES RESEARCH (JISCR) Vol. 1, Issue 1, June 2018 Vista, and Windows7. Due to the rapid growth of governmental and private organizations. This consumer demands and advancements in wireless motivated us to conduct a study on cyberattacks technologies, malware attacks in the internet on Saudi Arabia, in particular, using malware, imposing billions of dollars in repair. In Middle namely: Shamoon and Ransomware. This paper east, the cyberattack was initiated by Stuxnet attack is a part of funded study regarding cyberattacks, in 2009 on Iranian nuclear facility. With Stuxnet especially ones involving insider threat. attack, the countries all over the world realized In the remaining of this paper, we present the that critical infrastructures were vulnerable to attacks on Saudi organization by the malware, i.e., cyberattacks and that the potential consequences Shamoon and Ransomware. Section 2 presents the could be devastating [3]. Consequently, in 2011, timelines of the attacks of these malware including in Iran and Sudan, as reported by Kaspersky the different versions. Section 3 discusses the [4], Duqu, a malware, intended to collect data structure of Shamoon & Shamoon 2 malware. from several targets that could then be used in Ransomware structure is discussed in section 4 and future cyber-attacks. Flame, another malware, finally in section 5, the methodologies to shield attacked, in 2012, the Iranian oil ministry and ourselves against these malwares are discussed in national oil company that shared the same design details. with Stuxnet. Shamoon, another malware, in August 2012, attacked the Saudi Arabia's state oil II. Attacks on KSA company Aramco, the world’s largest oil producer Saudi Arabia has witnessed series of company, and wiped out data from 30,000 clint cyberattacks in the past few years, due to its computers in the company. RasGas, a Qatar-based economic and political positions. Saudi Arabia was gas company RasGas, is second largest producer attacked by Shamoon, which was originated from of Liquid Natural Gas in Qatar was hit by similar Iran as described by US Secretary of Defense Leon malware . The similarity between Shamoon and [7]. Thus, in order to understand the background RasGas malware, implies that these malware were of the Saudi attacks, we will start by introducing developed by the same developer [5]. where it was initiated. The attacks on the middle In September 2012, to support Iran’s nuclear east was initiated by Stuxnet attack in June 2010 program, a group of hacktivists named ‘Parastoo’ on Iranian nuclear facility and it’s believed that the has conducted a series of attacks on public targets USA built Stuxnet with the support of Israel with in Israel on 2012 and 2013. In the second half of the goal of stopping or delaying the Iranian nuclear 2015, ransomware attacks blocked access to users’ program. The worm was probably implanted by systems and files and forced users to pay a ransom an insider in the Natanz power plant’s network in order to have the decryption key. In the same with the use of a compromised USB-drive. This year, victims of Duqu 2.0 have been found in technique enabled the worm to penetrate a network several places in the middle east region. Nowadays, that is normally separated from other networks. Shamoon 2.0 malware is making headlines and A newly published document leaked by Edward new targets in Saudi Arabia are discovered each Snowden, a former CIA employee, indicates that day [6]. the NSA feared the same thing and that Iran may After the aforementioned attacks, we still don’t already be doing exactly the same. The NSA find enough resources investigating these attacks document from April 2013, published by The from inside to explain what and how it happened Intercept, shows the US intelligence community and also very less research papers in this topic is worried that Iran has learned from attacks like exist beside the confidentially of the attacks on Stuxnet, Flame and Duqu—all of which were Salem Alelyani, Member, IEEE and Harish Kumar G R 43 Overview of Cyberattack on Saudi Organizations created by the same teams—in order to improve its attacks don't just invite counterattacks but also own capabilities [8]. school adversaries on new techniques and tools Following, we present the timeline of the to use in their counterattacks, allowing them to attacks of these malware i.e., Shamoon and its increase the sophistication of these assaults. Iran, other version and Ransomware the document states, "has demonstrated a clear ability to learn from the capabilities and actions A. Shamoon of others." Thus on KSA, the first attack was by It is a very destructive wiper malware. Wiper Shamoon 15 August 2012 [7], and the target was is the class name of malwares that wipe out hard Saudi Aramco which was chosen due to deep drives. Usually, wiped data is not recoverable. political conflict between Saudi Arabia and Iran. Shamoon was the most famous wiper so far. Saudi Aramco (Saudi Arabian Oil Company) As expected, Iran might have learned from the is the state owned company responsible for above mentioned attacks and then replicated the exploration, production, and refining of these techniques of that attack in a subsequent attack, reserves. The market value of this oil giant has known later as Shamoon, that targeted Saudi been estimated at up to $10 trillion USD in some Arabia's oil conglomerate, Saudi Aramco. “Iran’s financial journals, making it the world's most destructive cyberattack against Saudi Aramco in valuable company [9]. Threats against Aramco August 2012, during which data was destroyed on could potentially jeopardize the national security tens of thousands of computers, was the first such of Saudi Arabia. Therefore, the Kingdom has attack NSA has observed from this adversary,” the invested in securing Aramco facilities with an NSA document states. “Iran, having been a victim armed force of 33,000 soldiers and 5,000 guards of a similar cyberattack against its own oil industry [10]. Despite its vast resources, Aramco, according in April 2012, has demonstrated a clear ability to to reports, took almost two weeks to recover from learn from the capabilities and actions of others.” the damage. Viruses frequently appear on the This might indicate that Iran has launched the networks of multinational firms but it is alarming attack against Saudi company. This conclusion is that an attack of this scale was carried out against a similar to what investigators have concluded. company so critical to global energy markets, thus Although NSA document doesn't credit causing significant disruption to the world’s largest the US and its allies for launching the attack, oil producer [11]. Kaspersky researchers [8], found that it shared some circumstantial hallmarks of the Duqu and B. Shamoon 2.0 Stuxnet attacks, suggesting that Wiper might After Shamoon, one of the most mysterious have been created and unleashed on Iran by wipers in history, was dormant for four years [12], the US and/or Israel.