In December 2018, Italian oil services company Saipem reported that it had been hit by a cyber attack mostly targeting its servers in the Middle East, namely the UAE, Saudi Arabia and Kuwait.
Impacted servers were quickly shut down, and no data was thought to have been stolen. Fortunately, it was possible to restore all records from backups.
Investigations into the attack began immediately, and within two days Saipem had issued an update, announcing that hackers had used a variety of the infamous Shamoon malware to target the company’s servers.
Shamoon was first discovered in 2012, when Iran was widely blamed for deploying it in an attack on Saudi Arabia’s Aramco, leading to the infection of 30,000 computers at the oil company.
Since then, the malware has appeared at regular intervals. In 2017 Shamoon 2 was identified, with hackers accessing 15 Saudi Arabian organisations via the use of spear-phishing emails; these attacks were again attributed to Iran, this time to the hacker group Timberworm.
Another Iranian group, APT33, is also believed to be linked to Shamoon. These hackers use spear-phishing techniques and register domains to masquerade as Saudi Arabian aviation companies. This group has been active since at least 2013 and it is highly likely that it is state-sponsored. Its main targets are in the aviation (military and civil) and energy sectors, both of which are of great importance to Iran for various reasons allied to its nation-state interests. For example, the government is hoping to mitigate somewhat the impact of new economic sanctions imposed on the country by President Trump in November 2018, and as part of this is working to expand its petrochemical industry; in addition, insight into Saudi Arabia’s military capabilities could be achieved through successfully infiltrating that country’s aviation or aerospace cyber networks.
Other APT groups linked to the Iranian state include Chrysene, OilRig and Greenbug: all are thought to have been involved in Shamoon or Shamoon 2 attacks, and all have been found targeting the networks of organisations operating in the critical infrastructure sphere in the Middle East.
While state-sponsored hacker groups are obviously the greatest cyber threat facing the energy industries in the Middle East, companies should also be aware of the possibility of Anonymous-affiliated hackers singling out organisations as part of various cyber operations. Recently, for example, we have seen YourAnonRise claiming responsibility for DDoS attacks on UAE government organisations as part of three related operations: OpUAE, OpYemen and OpZionism. As well as hitting the Official Portal of the Dubai Government, the hacktivists attacked the Dubai Civil Aviation Authority and telecoms company Etisalat: these sites were apparently targeted to highlight the UAE’s relationship with Israel, as well as to protest against its participation in the Saudi-led war in Yemen.
These DDoS attacks may not only cause disruption to the websites: as hacktivists announce them on Twitter, they can encourage others to emulate their activities and participate in the cyber operations, possibly inflicting more serious damage. YourAnonRise also posted a long target list for OpUAE, OpYemen and OpZionism, promising attacks on a broad range of energy and other industrial websites in the UAE’s seven emirates.
In an important report published in March 2018 by Siemens and the Ponemon Institute, researchers argued that energy companies in the Middle East are failing to invest sufficient financial resources in cyber security, despite damaging incidents that cost the region $1 billion in 2017.
It appears that these oil and gas companies are spending just one third of their cyber security budget on securing operational technology (OT), therefore leaving their organisations at serious risk of attack.
And yet the incidence of network intrusions is high: 75% of organisations had suffered at least one security compromise resulting in data loss or disruption to operations in the previous 12 months.
The insider threat was also highlighted: 68% of respondents cited in the research identified the top cyber security risk facing their organisation as “the negligent or careless insider”. Concerns about the cyber security practices used by third parties involved in their supply chains were also mentioned.
Another interesting piece of research appeared in a Honeywell report in November 2018. This highlighted the risks to a broad range of industrial facilities and networks posed by the use of USB devices. Well-known and highly damaging threats such as Stuxnet and Mirai were found, along with other malware used by state-sponsored nation-state APT groups.
It is surely no exaggeration to claim that the main risks faced by companies operating in the vitally important energy sector no longer primarily relate to shortages of supplies, as in previous years; cyber attacks aimed at disrupting operations or accessing classified data for industrial espionage purposes pose a much greater threat.
Securing the integrity of networks is therefore of paramount importance.