Ten years ago, on Aug. 15, 2012, Saudi Arabia’s national oil company, Saudi Aramco, was hit by one of the worst cyber attacks the world has ever seen. Iranian-backed actors, under the guise of a hacktivist group calling itself the Cutting Sword of Justice, used a wiper virus known as Shamoon rigged with a logic bomb to attack the company. The result was a devastating wiping of data across 85% of Saudi Aramco’s Microsoft-based technology, affecting tens of thousands of workstations.
The impact of the attack was swift and destructive, causing oil markets to shudder and hard drive and memory prices to spike, imposing costs on consumers and companies worldwide. It took months for the oil giant’s computer network to return to pre-attack levels of operation. As this case vividly illustrates, the effects of cyber attacks can be far wider reaching than is often thought, extending well beyond a single company or even one country.
As the world discusses a possible renewed nuclear deal with Iran in 2022, the Shamoon cyber attack serves as a reminder that the nuclear file isn’t the only issue that needs to be on the agenda in the Iran policy debate.
The attack and its aftermath
It began with a phishing attack, mostly likely in April or May 2012, that targeted a Saudi Aramco domain administrator. The attack set off alarm bells and warnings were called in by the company’s IT unit in Houston in May 2012, but the Saudi security operations center (SOC), the unit supposed to monitor and protect against major attacks, was busy undergoing an ISO certification and did not open an incident or take the report seriously at the time.
In a post on Pastebin, an anonymous hacker forum for posting leaks and exploits, a group calling itself the Cutting Sword of Justice announced that on Aug. 12, 2012 at 11:08 am thousands of computers at Saudi Aramco would be destroyed. The company did not have a digital threat team and didn’t see the Pastebin post until days later.
At around 11:08 am on Aug. 12, some Aramco computers in Saudi Arabia began acting funny. At first people didn’t think it was a cyber attack, but then it hit the right people at Aramco’s headquarters in Dhahran and things got serious in a hurry. IT experts rushed to open an incident using their entirely digital process, but before long about 85% of digital systems were down and soon afterwards everything ground to a halt. IT staff were forced to dig out typewriters and fax machines from storage because none of the computers or even the desk phones were working.
Saudi Aramco posted on its Facebook page that it was experiencing a cyber attack. Markets began to wobble as rumors spread and multiplied. All the while data was being wiped clean — in many cases forever — from an estimated 35,000 computers on the Saudi part of Saudi Aramco’s computer network by the Shamoon wiper virus. As it tried to halt the spread of malware that was eating data, research, and years of hard work, the world’s most valuable company had to disconnect itself from the internet.
The attack rattled international markets, raising concerns over the potential impact on the kingdom’s oil output and the consequences for the global economy. According to the company oil production was not disrupted, but gasoline became scarce in the days after the attack in Saudi Arabia and Bahrain as the system that dictated which supplies needed to be sent where was down. Gasoline trucks were lined up for miles waiting to be filled, and eventually office workers were deployed to pump gasoline, giving it away to trucks for free to get the supply moving again.
With plentiful resources at its disposal, Saudi Aramco threw whatever was needed into the recovery effort. There were setbacks due to the fog of cyberwar but also huge wins.
Seeking to recover as quickly as possible, Aramco bought up massive amounts of new hardware, including much of the world’s supply of hard drives. If you or your organization bought any memory hardware between September 2012 and January 2013, you likely paid slightly more for it due to the sheer scale of Aramco’s purchases — a sort of global tax imposed by the Shamoon attack.
Not everything went according to plan. Lots of fancy, expensive security hardware and software was purchased, along with some expensive advice from dubious cyber experts. In the haste to resolve the crisis, default security settings were used, a weakness that the Shamoon attackers subsequently targeted.
Even with all the means at Aramco’s disposal, the company didn’t fully recover until April 2013. Imagine what would happen to your organization if your technology wasn’t fully functional for eight months.
What have we learned?
Why would anyone hack us? This is still a question asked in too many boardrooms, and all too often there is no clear understanding of the board’s liability. This is especially true in light of recent privacy data regulations and related hefty fines in Europe, the Middle East, and parts of the U.S.
Ten years ago, cyber attacks were more tailored and less automated. Nowadays, criminals and nation-states alike use automation and spraying attacks that employ off-the-shelf commercial crime ware. Cyber is now a fight between a few expert nation-state actors and bot attacks, moving beyond the scale of human hacker capacity.
We see the same things happening over and over again. Wiper viruses keep cropping up every so often in the malware world, becoming a fashionable attack tool again. Phishing never seems to go away, like a plague infecting our inboxes. Hacktivists and nation-state actors pretending to be hacktivists continue to carry out attacks. The same exploits are tweaked and reused because of a general inability to patch and update. The risks have increased, but cyber security and privacy still don’t get the attention they deserve. Most governments that have cyber policy have little to no implementable policy, just something that looks good on paper.
A decade on from the Shamoon attack, the Russians are making heavy use of both wiper viruses and phishing attacks against Ukraine, while Iran and Iranian-backed actors are using the war as a distraction to ramp up their attacks against Saudi Arabia and Israel. Tehran has taken to selling its offensive cyber tools to groups it supports in both the Middle East and North Africa (MENA) and as far away as Burkina Faso. It’s proving far easier and more profitable to sell cyber weaponry than it is to smuggle physical weapons. The ability to proliferate cyber weaponry and the resulting risks cannot be overstated.
The frequency and severity of cyber attacks have increased, while tech policy in most of the Western world remains in its infancy. Much of the same advice was given 10 years ago, but we haven’t acted on it and not enough has changed. Cyber attacks and privacy breaches are simply expected these days. No one bats an eye at news stories about digital attacks, as if we’ve collectively become desensitized to them.
Recommendations
Tech policy should be a focal point for all developed governments. However, the U.S. currently struggles with cohesive and implementable tech policy, and ideas like tech diplomacy are still perceived to be way outside of the box. Here are some steps that the U.S. and others should consider as they work to better prepare and protect themselves:
- Encourage companies to share data on cyber attacks and work with the government on valid cyber attack attempts and bot reconnaissance. There are, however, cost and liability concerns in the private sector about doing so. To facilitate additional public/private data sharing, the government must first gain the trust of the private sector that any data shared is digitally secure with transparent third-party testing. Data shared can include intellectual property, trade secrets, personally identifiable information, and sensitive information that could allow an attacker to commit a larger breach. The government should also implement measures that shield companies from unexpected fines arising from data sharing.
- Offer support to smaller private sector entities. The U.S. government should look at providing easy-to-obtain grants to help small organizations address issues like public/private data-sharing agreements and supply chain risks and solutions. Small to medium-sized businesses, the backbone of the U.S. economy, are typically the weakest link in terms of cyber security as budget limitations often prevent them from putting in place robust and resilient digital security.
- Invest in human capital and measures to attract it. While many members of Congress have national security and economic advisers, few have cyber experts on their staff. Cyber, emerging technology, and privacy issues are seemingly forgotten until something goes wrong and then decisions must be made by policy makers with little to no understanding of the topics in front of them. It should be the norm for legislators to have trusted, well-informed advisers on such issues.
- Make cyber diplomacy a central part of the U.S. diplomatic toolkit, both in the MENA region and elsewhere. The U.S. is uniquely placed to work together with its regional partners to ensure successful policy in this area. Ours is a digital world and cyber diplomacy is a must for effective U.S. strategy.
- Enhance cooperation between the U.S. and its regional partners when it comes to managing cyber threats. There is a particular need for greater information sharing, especially around cyber defensive, offensive, and threat intelligence.
- Adopt a more holistic approach to halt the proliferation of Iran’s cyber weapons. This could be incorporated as part of the talks over reviving the Joint Comprehensive Plan of Action or in a separate agreement that limits Iran’s cyber weapons capability from being used against countries in the region.
The predictions made by Richard Clarke in his 2010 book Cyberwar: The Next Threat in National Security and What to do About It have come true. Cyber war is now a reality and is just as much a part of the modern security landscape as diplomatic disputes and kinetic warfare. Nowhere is this more true than in the Middle East. As the Shamoon attack made clear, the threats facing the region are very real. There should be no ambiguity about the cyber capabilities or intentions of actors like Iran, and the U.S. and its regional partners need to prepare accordingly.
Going forward, the challenges and the risks are only likely to increase as technology becomes an ever-more pervasive part of our lives. The number of Internet of Things devices is growing rapidly year on year and could reach 30 billion by 2030. That’s 30 billion new things on the internet to attack, some of which will help control or monitor critical infrastructure. It’s time to step out of the shadow of the analog world and embrace the reality of the digital world, including crafting policy that reflects the times in which we live and the threats we increasingly face.
Chris Kubecka is the distinguished chair of MEI’s Cyber Security and Emerging Technology Program and the founder and CEO of Hypasec. Following the 2012 Shamoon attack, she was involved in helping Aramco to reestablish its business operations and improve its digital security. The views expressed in this piece are her own.
Photo by Simon Dawson/Bloomberg via Getty Images
The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars’ opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors’ views. For a listing of MEI donors, please click here.
