Making sense of Middle East-targeted malware
Dan Emory, leader, information assurance practice, TKC Global
Amid the chaos that defines the global war on malware there have been a few trends unfolding over the past year that warrant closer scrutiny.
One is the regional focus of the Middle East where some extraordinary malware attacks have taken place amid the backdrop of the revolutions and political upheaval sweeping the region. Yet another trend is the apparent state-sponsored nature of these malware attacks and what it means to the future of warfare.
Over the past year, the Middle East has become the battleground where countries, hacktivists, dictatorships, and revolutionaries have come together in an epic battle over information systems, the internet, nuclear proliferation, and power over societies.
We have seen Iranian state-sponsored hacking campaigns that, on at least one occasion, compromised certificate registration servers for DigiNotar and Comodo in Europe in 2011. The attacks allowed the internal security apparatus to access the email messages of Iranian dissidents seeking the overthrow of the government.
By all accounts the Stuxnet attack on the Iranian nuclear program's SCADA systems in June 2010 was a success and accomplished its goal of disrupting progress. Stuxnet has been attributed to a joint U.S.-Israeli intelligence operation.
Duqu was discovered in September 2011 and was widely viewed as a variant of Stuxnet that sought to collect information for future attacks. The Flame malware program discovered in May was described as possibly the most sophisticated and complex malware ever found. Again, Flame appeared to target Iran but, as with Duqu, quickly spread far and wide into the Middle East and many other regions including North America and Europe. Whereas Stuxnet was most likely designed to sabotage Iran's nuclear program, Flame was a cyber espionage program that sought to collect information from infected systems.
Finally the Shamoon (“Simon” in Arabic) malware attack that hit Saudi Aramco last month and wiped out at least 30,000 workstations was the latest massive attack to hit the region. Shamoon is different because it is considerably less sophisticated than its predecessors and appeared to target the energy and oil sectors. Shamoon also bled out to other countries and companies in the region, but didn't propagate beyond the Middle East.
The stakes are high and nobody is insulated from the effects of these malware attacks. For instance, had Shamoon been able to shut down Saudi Aramco's ability to pump oil, it could have had devastating effects on the global economy.
As sophisticated and devastating as these attacks are, from an information security standpoint, they are preventable. Companies and governments should have a well-segmented security architecture in place, security zone and protocol controls, a mature patching program, educated users, access controls, controls on removable media, and contingency planning.
The evidence is clear that a sophisticated cyber war is being waged in the region either as a pre-text to armed conflict or in lieu of.