This is a story about the Blue Team winning. These stories are few and far between – not least because the Red-Team, the attackers, have long been seen as the glamour side of cyber security. But also, generally when the Blue Team wins, nothing happens. The business just keeps on going, doing what it does.
On this occasion though, the Blue Team won, and something did happen. The Red Team launched missiles.
This is the story of Saudi Aramco, who are set for an IPO record in their Saudi stock market listing in December – with analysts expecting the firm to settle in at about $1.6 to $1.7 trillion. Aramco – the state-owned Saudi oil company, produces 25% of the world’s energy, and its reserves are five times larger than the other five global oil giants combined.
Despite the abundance of natural resources, it hasn’t all been plain sailing. The sheer scale of Aramco, and its fundamental role in driving the Saudi economy, has made it a significant geopolitical target. However, if we dig a little further into Aramco’s recent history, this actually becomes a real cyber-security success story – and an example of cyber-defence being used to tip the geopolitical balance.
Shamoon Cyber Attack 2012
Most people who work in cyber-security, and many people outside the industry, recall the Saudi Aramco hack of 2012 – known as Shamoon.
Before we dig into it, let’s remember – cyber has long been seen as an attractive geopolitical weapon, due to its asymmetric nature. By this, we mean that attackers consider themselves relatively safe from retaliation, and that cyber is cheaper to deploy than a conventional military. Furthermore, attribution is hard, and no-one is likely to launch a missile back in response to a cyber attack (although the Israelis did so this year for the first time).
Back in 2012, the benefits of developing cyber attack capability were not lost on Iran – who had suffered years of US-led sanctions, and US-led Saudi prosperity in the region, and were seeking retaliation. In addition, the Stuxnet cyber attack on Iranian nuclear centrifuges in 2011, may have helped spur the Iranians into investing into their own cyber attack program.
A major target for this newly developed capability was Saudi Aramco which was hit by the Iranians with their Shamoon wiper malware.
The technical details behind the Shamoon attack are well documented (Securelist has a good write-up). But the impact was devastating. 35,000 Aramco hard drives were wiped overnight, finance, supply chain, order data – everything was taken offline. The business couldn’t even send an email.
The attack was against IT, not Operational Technology (OT), and so while Aramco kept the oil pumping – they couldn’t track volumes or even invoices, causing supply-chain chaos and huge financial damage. The attack and its aftermath was recently covered by Jack Rhysider in his superb Darknet Diaries podcast – some incredible details came to light in a wide-ranging interview with Chris Kubecka who was recruited to lead the Blue Team response. For example, who could have forecast that there weren’t 35,000 replacement hard drives available, globally – or that if you laid the wiped computers in a line they would stretch six miles?
The Shamoon attack served to highlight a relatively immature IT security posture held by Aramco at the time. For instance, the business had a flat IT network – which could be traversed globally from a single entry point and was a contributing factor in the widespread damage. Back in 2012, (and is still often the case), it was only really a breach that brought the appropriate level of focus onto cyber security.
Despite reported cultural challenges around remediation, the firm really did make efforts to prevent a similar, future attack from being successful. As mentioned earlier, Chris Kubecka – a vastly experienced cyber-defence / response leader, was headhunted to build out a global cyber defence program. She hired top security talent, gave her team research time and training budgets, and limited their workload to 36 hours per week. The result – a motivated capable team always up to date with the current threat. This team represents the art of the possible – what good looks like when budget is not a limitation. For most of us, this kind of expense is simply not realistic – but, it’s the result of this team’s work that is really interesting, as evidenced by the more recent attacks against Aramco.
Failed Operational Technology Cyber Attack 2017
In 2017 Aramco was hit again with another cyber attack, which this time had to be far more sophisticated to get around the organization’s cyber-defences. While the attackers did manage to gain a foothold – apparently in an attempt to cause physical harm to operational technology (pumps and pipelines), the attack did not execute as planned. In comparison to the 2012 attack, the Blue Team had raised the bar, and raised it significantly.
So, how do you attack a company that has invested so much into cyber-security, to the point that even your well crafted, customized and stealthy attempts to do damage simply do not work?
You switch attack vectors. In this case missile and drone strikes.
Missile / Drone Strike 2019
Kubecka’s cyber security program, and the team-in place today, raised the bar so high that a traditional kinetic strike was required in order to inflict damage on Aramco – in this case using missiles and drones. From an attacker’s perspective this was a riskier approach; unlike a cyber operation, this was far more likely to trigger a military response. But with cyber now too hard to execute, the risk was taking – and it paid off. The attack was high impact and devastating, temporarily cutting oil production in half and causing oil prices to spike.
While Aramco may have expected Saudi Arabia’s military to defend its infrastructure against such an attack – some of the 25 missiles found their targets as shown in the photo above. Indeed, the attack – much like Shamoon did for cyber in 2012, has caused a rethink of Saudi’s defensive posture. From a technical perspective, the Patriot missile system and Skyguard anti-aircraft batteries are more suited to shooting down planes than missiles and drones, and question marks remain over the capabilities of the personnel manning the defences. As in cyber-security, tooling is ineffective without well trained people or a well defined process.
Are the Cyber Attacks and the Missile Strikes Linked?
While claimed by the Houthi rebels in Yemen, the US government suspected the involvement of Iran – as did the Saudis. An excellent writeup by Fabian Hinz, at Arms Control Wonk (here) shows missile casing representing the Quds-1 drone (pictured), which actually is manufactured domestically by the Houthi rebels. However, that’s not the entire story. The Quds-1 only has a range of about 400 miles, and with Yemen 800 miles away, that would rule the Houthis out of the attack. Furthermore, the Iranian border is very much in range – just 200-300 miles from the targeted Aramco sites, and the missiles appeared to come from the direction of Iran. Finally, with the Quds-1 a derivative of an Iranian missile, and the subsequently released Houthi reconnaissance photos being badly forged – the international community (US, Saudi Arabia, Germany and the UK) became united in pointing to Iran.
Plausible Deniability – a Recurring Theme
There is a plausible deniability aspect of the 2019 missile strike that mirrors that of the 2012 Shamoon cyber attack – and was perhaps deployed an effort to limit the retaliation from Saudi Arabia. Shamoon was carried out by hacking group the ‘Cutting Sword of Justice’ who are linked with hacktivist group the Yemen Cyber Army – itself a front for the Iranian Cyber Army. The 2019 missile strikes followed the same playbook; again it was the Yemeni Houthis being used by Iran for plausible deniability.
So, what does all this tell us? It demonstrates to us that from a cyber perspective, the Blue Team can win – even against a nation state attacker. It also shows us that attackers, if frustrated in their efforts, will keep trying if suitably motivated – but if as defenders we exhaust them, they will be forced to try other attack vectors – or other targets.
For most of us, we are fortunate that raising the cyber security bar is unlikely to lead to a missile through the window. Instead, it means that the attackers are likely go and try their luck somewhere else.
And for now, that’s pretty much all we can ask.
Summary of events: