Dubai: There is a sharp rise in state-sponsored cybersecurity attacks, mostly from Iran, which mirror the rise in tensions across the Gulf.
“We have been seeing attempted disruptive attacks ... but nothing major that succeeded,” said Alister Shepherd, Middle East director of Mandiant Consulting, an arm of American cyber security company FireEye.
The reason the attacks have not succeeded, he said, is that governments and companies have began to take security more seriously following the “Shamoon” attacks on Saudi Aramco in 2012.
“Security has improved. Governments woke up, and the critical national infrastructure industry woke up,” he said.
Shamoon is a computer virus that steals information from a computer and then completely erases all information on the attacked computer.
In 2012, the virus attacked at estimated 30,000 of Saudi Aramco’s workstations.
But while the defences against such attacks has significantly improved, Shepherd said the frequency of attacks has not slowed down. And that these may even increase as regional tensions spike. He said FireEye often sees increased Iranian cyberattacks associated with geopolitical activity, such as the US pulling out of the Iranian nuclear deal or the imposition of further sanctions against that country.
“We’ve seeing an increase in tempo but no real successes,” he said. “They were trying, but they were not succeeding in cyber, and [the cyber attacks were concurrent] with the physical [attacks].”
Precursor to more direct ones
He said the failure of Iran’s cyberattacks could be linked to the start of physical attacks in the Gulf.
“What I find really interesting is what we see this year — for the first time in a long time — is physical attacks emerging from the Iranian regime or attributed to the Iranian regime,” Shepherd said.
Most of the attacks are focused on the energy sector, telecommunications, financial services, and government services. Sheppard said the attacks on telecommunications system are a clear indication that the attacks are state-backed.
“Within the telcos, [attackers] are looking at individual SMS messages for only a few individuals out of millions of subscribers,” he said. “The amount of data that you pull out of a telco, it requires a government-level of resources to be able to processes it.”
Iran isn’t the only country behind cyber attacks in the region. He said that China and Russia have also been identified as behind a number of attacks. Western governments too are active, he said, but tend to use different methods that are harder to identify.
“Western governments tend to be much more focused on government-type espionage,” he said. “They’re not looking for intellectual property; they’re less prevalent in commercial entities. Because of that, they’re much more difficult to identify.”
How the attacks happen
The most prevalent attack vector for most of these groups is phishing emails, although vulnerable web-facing servers (servers which are directly accessible from the internet) are the second most popular form of attack.
“[Attackers] also use a combination of the two — they get in through phishing and the first thing they’ll find is an internet-facing server and put a backdoor on it,” said Alister Shepherd of Mandiant Consulting. “So they have two means of access.”
A backdoor is a method of accessing a computer while bypassing normal authentication. Phishing is a non-technical attack that uses email and attempts to trick a person into giving their access details to the attacker. These attacks can be particularly dangerous, especially if a compromised account has access to the company’s infrastructure.
Once the hackers get that access, they can then attack other parts of the system. Shepherd said there have been a number of breaches into companies’ DNS settings, which allow hackers to completely divert all the traffic away from the server and onto a different site, likely under their control. (DNS stands for Domain Name System and controls how information moves across the internet.)
Keeping an eye on threats
FireEye tracks a number of advanced persistent threat (APT) groups around the world. From Iran, there are two:
* Apt39. This group focuses on telecommunications and travel industries with the aim of monitoring and tracking individuals.
* Apt34. This group conducts attacks against a variety of industries, including financial, government, energy, chemical and telecommunications. Its attacks are mainly focused within the Middle East.