From today's New York Times.
In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back
By NICOLE PERLROTH
The hackers picked the one day of the year they knew they could inflict
the most damage on the world’s most valuable company, Saudi Aramco.
On Aug. 15, more than 55,000 Saudi Aramco employees stayed home from
work to prepare for one of Islam’s holiest nights of the year — Lailat
al Qadr, or the Night of Power — celebrating the revelation of the Koran
to Muhammad.
That morning, at 11:08, a person with privileged access to the Saudi state-owned oil
company’s computers, unleashed a computer virus to initiate what is
regarded as among the most destructive acts of computer sabotage on a
company to date. The virus erased data on three-quarters of Aramco’s
corporate PCs — documents, spreadsheets, e-mails, files — replacing all
of it with an image of a burning American flag.
United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech
warning of the dangers of computer attacks, cited the Aramco sabotage
as “a significant escalation of the cyber threat.”
In the Aramco case,
hackers who called themselves the “Cutting Sword of Justice” and claimed
to be activists upset about Saudi policies in the Middle East took
responsibility.
But their online message and the burning flag were probably red
herrings, say independent computer researchers who have looked at the
virus’s code.
Immediately after the attack, Aramco was forced to shut down the
company’s internal corporate network, disabling employees’ e-mail and
Internet access, to stop the virus from spreading.
It could have been much worse. An examination of the sabotage revealed
why government officials and computer experts found the attack
disturbing. Aramco’s oil production operations are segregated from the
company’s internal communications network. Once executives were assured
that only the internal communications network had been hit and that not a
drop of oil had been spilled, they set to work replacing the hard
drives of tens of thousands of its PCs and tracking down the parties
responsible, according to two people close to the investigation but who
were not authorized to speak publicly about it.
Aramco flew in roughly a dozen American computer security experts. By
the time those specialists arrived, they already had a good handle on
the virus. Within hours of the attack, researchers at Symantec, a
Silicon Valley security company, began analyzing a sample of the virus.
That virus — called Shamoon after a word embedded in its code — was
designed to do two things: replace the data on hard drives with an image
of a burning American flag and report the addresses of infected
computers — a bragging list of sorts — back to a computer inside the
company’s network.
Shamoon’s code included a so-called kill switch, a timer set to attack
at 11:08 a.m., the exact time that Aramco’s computers were wiped of
memory. Shamoon’s creators even gave the erasing mechanism a name:
Wiper.
Computer security researchers noted that the same name, Wiper, had been given to an erasing component of Flame,
a computer virus that attacked Iranian oil companies and came to light
in May. Iranian oil ministry officials have claimed that the Wiper
software code forced them to cut Internet connections to their oil
ministry, oil rigs and the Kharg Island oil terminal, a conduit for 80
percent of Iran’s oil exports.
It raised suspicions that the Aramco hacking was retaliation. The United
States fired one of the first shots in the computer war and has long
maintained the upper hand. The New York Times reported in June that the United States, together with Israel, was responsible for Stuxnet, the computer virus used to destroy centrifuges in an Iranian nuclear facility in 2010.
Last May, researchers discovered that Flame had been siphoning data from
computers, mainly in Iran, for several years. Security researchers
believe Flame and Stuxnet were written by different programmers, but
commissioned by the same two nations.
If American officials are correct that Shamoon was designed by Iran,
then clues in its code may have been intended to misdirect blame.
Shamoon’s programmers inserted the word “Arabian Gulf” into its code.
But Iranians refer to that body of water as the Persian Gulf and are
very protective of the name. (This year, Iran threatened to sue Google
for removing the name Persian Gulf from its online maps.)
After analyzing the software code from the Aramco attack, security
experts say that the event involved a company insider, or insiders, with
privileged access to Aramco’s network. The virus could have been
carried on a USB memory stick that was inserted into a PC.
Aramco’s attackers posted blocks of I.P. addresses of thousands of
Aramco PCs online as proof of the attack. Researchers say that only an
Aramco employee or contractor with access to the company’s internal
network would have been able to grab that list from a disconnected
computer inside Aramco’s network and put it online.
Neither researchers nor officials have disclosed the names of the
attackers involved. Saudi Aramco said in a statement that it was
inappropriate to comment amid an investigation. The company further
stated that it does not comment on rumor or speculation.
American intelligence officials blame Iran for a similar, subsequent
attack on RasGas, the Qatari natural gas giant, two weeks after the
Aramco attack. They also believe Iran engineered computer attacks that
intermittently took America’s largest banks offline in September, and last week disrupted the online banking Web sites of Capital One and BB&T.
Multiple requests for comment from Iran’s interests office in Washington
and to Iran’s mission to the United Nations in New York brought no
response.
The finger-pointing demonstrates the growing concern in the United
States among government officials and private industry that other
countries have the technology and skill to initiate attacks. “The
Iranians were faster in developing an attack capability and bolder in
using it than we had expected,” said James A. Lewis, a former diplomat
and cybersecurity expert at the Center for Strategic and International
Studies. “Both sides are going through a dance to figure out how much
they want to turn this into a fight.”
More than two months after the Aramco attack, the company continues to
deal with the aftermath. Still, this month employees were not able to
gain access to their corporate e-mail and internal network for several
days. Until the company’s executives decide its systems are secure,
employees can no longer access Aramco’s internal network remotely.
The attack, intelligence officials say, was a wake-up call. “It proved
you don’t have to be sophisticated to do a lot of damage,” said Richard
A. Clarke, the former counterterrorism official at the National Security
Council. “There are lots of targets in the U.S. where they could do the
same thing. The attacks were intended to say: ‘If you mess with us, you
can expect retaliation.’ ”
No comments:
Post a Comment