It took less than a week for Iran to retaliate to the killing of Qassem Soleimani Baghdad in form of a missile attack on US Army bases in Iraq.
Iran’s action may be a signal that it does not seek an escalation. However, it has more aces in its deck that, while keeping it away from a full-fledged military conflict, can be much more devastating than rockets. For example, Iran is likely to choose a cyber-attack on critical infrastructure such as oil and gas plants, manufacturing facilities, water treatment, etc. This kind of attack can cause severe physical and economical damages as they have already proved in the past.
Iran has already proved that it can compromise critical infrastructures in the past. Back in 2012, a new malware called “Shamoon” was used in a cyber-attack against national oil companies including Saudi Arabia's Saudi Aramco and Qatar's RasGas. The malware destroyed 30,000 computers and triggered a temporary network shutdown in Saudi Aramco. Furthermore, it caused Qatar’s RasGas’ organizational website and its e-mail servers to shut down.
4 years later, on two instances, in November 2016 and January 2017, “Shamoon” made a surprise comeback in attacks against various Saudi organizations. This time it targeted multiple industries, including the public and financial services sectors.
The latest variant of “Shamoon” made its appearance in a series of attacks in December 2018, targeting several companies in the oil and gas industry. These included the Italian oil services firm “Saipem” and two additional organizations in Saudi Arabia and the United Arab Emirates.
This 3rd variant of “Shamoon” was the most sophisticated of the three, and the most destructive. It involved a new, second piece of wiping malware. The wiping malware was responsible for deleting and overwriting files on the infected computer, while “Shamoon” was erasing the master boot record of the computer, rendering it unusable. The combination of the two makes recovery of wiped files impossible.
Looking back at the 2012 attack we can determine that “Shamoon” did not appear out of the blue, nor was it a 100% Iranian capability. Security intelligence figures pointed out numerous times that Iranian hackers’ groups are known for studying and replicating sophisticated cyber-attacks. In fact, Iran fell victim to a similar cyber-attack against its own oil industry in April 2012 by a malware named “Flame”. The obvious characteristics of the Flame attack in “Shamoon” demonstrate a clear ability of Iranian hackers to learn from the capabilities and actions of others, to copy them and utilize them.
According to the latest headlines, Saudi Aramco has already lost $200 billion in value since its December 2019 IPO. Over the first week of January, its stock value has dropped roughly 2% reflecting investors’ concern that Iran might respond to the attack by targeting Aramco’s production facilities or its computer networks once again, in retaliation for the killing of Soleimani. Not only that but an attack on a major oil producer like Saudi Aramco will have a major effect on global oil prices.
As we have seen in the past, destructive attacks originating from Iran are part of that country’s modus operandi. It is possible that Iran has other cards up its sleeve and that Iranian hackers developed a variety of tools by learning and copying attack methods used on their own nuclear facilities between 2006 – 2012.
In addition to “Flame”, Iran learned from the characteristics of additional malware that they had investigated. One such example is “Duqu”- a cyberespionage tool. Another is Stuxnet, the famous malicious computer worm for industrial control systems. APT33, an Iranian hackers group working for the government, had attempted to gain access to networks of industrial control system suppliers. This could end in a supply chain attack which could result in disrupting physical systems.
Another aspect of targeted cyberattacks that is sometimes overlooked is collateral damage. An attack against American companies can put their offshore branches at risk. This means that any organization that is connected (digitally) to a company that’s under attack is also at risk – whether it’s based in the US, in Europe, Asia or anywhere in the world.
1. Identify potential entry points – Conduct a “health check” of your systems and ensure the network is not accessible by unwanted parties. Best practice includes a penetration test to flag out any potential attack pathways.
2. Know what is in the network – Evaluate your security posture by first establishing an inventory of assets, in addition to assessing potential vulnerabilities and misconfigurations in the production floor and assembly lines.
3. Actively check for existing threats - Monitor the network and try to track traces of ongoing risks or potential attacks. It is better to find the attacker before it expands and achieves a grasp on your network.
4. Ongoing monitoring for future threats - Security is an ongoing process. By implementing a cyber monitoring system, companies can automatically check assets for ongoing risks.
5. Secure supply chain & 3rd parties - In an interconnected ecosystem you are only as safe as your partners are. It is wise to include partners or suppliers in the organization’s health checks. Eliminate the weak links by assisting your partners and suppliers to implement the above security steps.
Lastly, it’s always wise to select a cyber-security partner who understands the unique complexities, procedures, and requirements of Industrial Control Systems. Working with such a partner would allow you to prepare for an attack – and preempt it.