RIYADH, April 26, (Agencies): Increasingly sophisticated hackers possibly linked to a foreign nation aimed to disrupt key organisations in Saudi Arabia, the US-based cyber security firm McAfee said. It did not name the possible attacker but US intelligence officials said they suspected a link to the kingdom’s regional rival Iran after the Shamoon virus struck the Saudi energy sector in 2012.
Renewed Shamoon campaigns that began late last year attacked a wider range of targets including the public and financial sectors in Saudi Arabia, McAfee said in a blog post dated Tuesday. The increase in sophistication suggests “the comprehensive operation of a nation-state,” it said. “This campaign was significantly larger, wellplanned, and an intentional attempt to disrupt key organisations and the country of Saudi Arabia,” McAfee’s blog said.
The attackers entered their targets with phishing emails that allowed “reconnaissance” before initiating the strike which McAfee said is ongoing. In January a senior Saudi telecommunications official was quoted as saying the kingdom’s computer security systems are vulnerable to the “Shamoon 2” virus. Among its reported victims was a division of the labour ministry.
Saudi Arabia and Iran have no diplomatic ties and support opposite sides of regional wars including in Yemen and Syria. Speaking ahead of the blog post’s publication Wednesday, McAfee chief scientists Raj Samani said the latest intrusions were very similar, albeit even worse, to the malicious software that wrecked computers at Saudi Arabia’s state-run oil company in 2012. “This campaign was a lot bigger,” Samani said. “Way larger in terms of the amount of work that needed to be done.” It’s a striking claim. The 2012 intrusions against Saudi Aramco and Qatari natural gas company RasGas — data-wiping attacks that wrecked tens of thousands of computers — were among the most serious cyberattacks ever publicly revealed. At the time, the United States called it “the most destructive attack that the private sector has seen to date.”
Echoing research done by others, McAfee said the most recent wave of attacks drew heavily on the malicious code used in the 2012 intrusions. McAfee also said that some of the code appears to have been borrowed by a previously known hacking group, Rocket Kitten , and used digital infrastructure also employed in a cyberespionage campaign dubbed OilRig.
US cybersecurity firms have tied both to Iran, with greater or lesser degrees of certainty. McAfee stopped short of linking any particular actor to the most recent attacks. Saudi officials and news media have given little detail about the intrusions beyond saying that more than a dozen government agencies and companies were affected, and a government adviser did not immediately return a message seeking comment. The Iranian Embassy in Paris did not immediately return messages.