After news of hacks into water systems in Israel and a key port in Iran surfaced at the start of Q2, concerns over the threat of cyberattacks on critical networks in the Middle East have been dialled up, writes Maddy White.

 

When Israeli authorities acknowledged a cyberattack on the country’s water systems, pumping stations and sewers at the end of April, the focus on cybersecurity across the Middle East swiftly sharpened.

The Israeli government called on entities in the energy and water sectors to immediately change any passwords to industrial control systems, reduce internet connectivity and ensure that the most up-to-date systems were installed.

The objective of the attack? To raise chlorine levels in drinking water, the Financial Times reported, quoting an unnamed intelligence official. If it had been successful, tens of thousands of people could have been without water, and, in the worst-case scenario, hundreds may have fallen seriously ill. While it is highly difficult to uncover the origin of cyberattacks because of their inherently secretive nature, the finger was pointed at Iran.

Not long after the incident, Iran’s Port and Maritime Organisation (PMO) confirmed an attack had been made on its Shahid Rajaee port, a shipping terminal that lies in southern Iran on the Strait of Hormuz, a busy trade route between the Persian Gulf and the Gulf of Oman.

In a statement to the Iranian Labour News Agency, Mohammed Rastad, Iran’s deputy minister for roads and urban development, said the attack had not damaged the PMO’s core systems and had only affected a few private operating systems. A Washington Post report linked the attack to Israel, while alleging that Iran appeared to have downplayed the impact of the incident.

Later in May, hundreds of websites in Israel were hacked. Sites were disabled and their content replaced with a threatening message, local media reported. Israel National Cyber Directorate, a government agency responsible for cyber defence, said: “An initial investigation of the incident involved a surface-level attack on the websites of private entities in Israel, which were done through a single company that hosts all the sites.”

While Iran and Israel have been in conflict for decades, Iran’s desire for the removal of the Jewish state and its support of radical groups against Israel ignited a proxy war in the 2000s, which only intensified with the start of the Syrian civil war in 2011. If, as suspected, the two states are behind the recent tit-for-tat cyberattacks, it poses concerns over how they may continue to use technologies to cause serious harm in the future, and also how they can be held accountable for their actions.

“We know the incidents in Iran and Israel happened, even if we can’t definitely attribute them yet,” explains James Shires, assistant professor at Leiden University’s Cybersecurity Governance Institute of Security and Global Affairs. “It is worrying that there are attacks on the critical infrastructure of states, against key elements of trade, such as ports, but also against water systems, on which people’s quality of life is dependent.”

Simone Vernacchia, partner and digital infrastructure and cybersecurity specialist at PwC Middle East, explains the damaging impact of targeting critical infrastructure in the region: “If you stop utilities in the Middle East, you could have no water and no air conditioning, which is dangerous in the summer. It is not like the West; it can be life-threatening.”

 

Malware in Mena

Government-sponsored cybercrime is becoming an increasingly prominent way of playing out political tensions in the Middle East because attacks can be extremely damaging socio-economically, yet it is difficult to pinpoint the perpetrator.

“There has been a big shift in political power in the region, which is increasing cyber risks,” Vernacchia tells GTR. “We see more activity on the attack side. Is this the result of more international tension? Probably, yes. If you look at most of the attacks here, some are done for profit, but they’re smaller and mostly happening in holding companies and deal shops. A lot are likely done for political reasons – we do see more activity on the government-sponsored level.”

While the latest wave of cyberattacks in the Middle East has focused on water systems and logistics, in the past hackers targeted the region’s energy sector – an industry on which many Middle Eastern economies depend – with different types of malware, or malicious software, to disrupt operations and destroy data.

Shires tells GTR: “Part of the reason for targeting oil and gas in the Gulf is because it’s a strategically important part of the economy. If there is a nation state behind a cyberattack and it wants to have a political impact, it will pick areas that are the most important to an economy.”

The Shamoon virus, which predominantly targets oil and gas companies, resurfaced in 2016 and 2018 with devastating effects. First discovered in 2012, when 30,000 computers belonging to Saudi Arabia’s state-owned oil giant Saudi Aramco become infected, the virus erases and overwrites hard drive data, leaving systems destroyed.

The latest attack, in December 2018, saw hackers create websites resembling legitimate job sites. Many of the URLs were linked to jobs in the energy sector, operating mostly in the Middle East, while others contained malicious files that executed secret payloads upon site visits. Some websites also encouraged victims to log in using their corporate credentials.

In the most recent attacks, the malware had been upgraded with a modular approach, which enables the part of the virus that erases data – known as the ‘wiper’ – to be used as a standalone threat, revealed analysis by McAfee, a global computer security software company, suggesting that multiple developers would have been involved in preparing the malware.

Iranian hackers were alleged to be behind all three incidents. “After further analysis of the three versions of Shamoon and based on the evidence… we conclude that the Iranian hacker group APT33 – or a group masquerading as APT33 – is likely responsible for these attacks,” said McAfee in December 2018.

Another destructive type of malware discovered in the Middle East is known as Triton. Detected at a Saudi Arabian petrochemical plant in 2017, it has the power to disable vital industrial safety systems. On this occasion the attack was thwarted; detailed analysis by FireEye, a US-based cybersecurity company, linked it to the Central Scientific Research Institute of Chemistry and Mechanics, a Russian state-owned technical research institution in Moscow.

Two years later, FireEye reported another Triton attack on a different critical infrastructure facility, the location of which has never been disclosed.

As the energy sector embraces digitalisation, the potential for similar attacks is increasing. Shires explains: “There’s been a big drive to digitalise it [oil and gas] and to use industrial control systems that go over Internet Protocol (IP) networks to enable communication between different areas of, say, an oil or gas field because it is cost-saving and improves efficiency. The downside is that it increases the risk of cyberattacks to those facilities.”

 

Cyber spill over

Cyber incidents ultimately impact global trade, even if it is not the target, Shires says, pointing to the NotPetya attack in 2017, which has since been attributed to Russian authorities. That attack saw tens of thousands of computers belonging to Maersk, the Danish shipping giant, become infected with malware, causing its operations around the world to grind to a halt.

Set in motion by infecting an upgrade to Ukraine’s widely used tax software, NotPetya spread to the Middle East, the US and across Europe.

“This code was built to destroy, not extort,” Maersk’s head of technology Adam Banks told I-Cio in August 2019. “All companies that use the default software for submitting Ukrainian tax returns were compromised by the social engineering of a rogue employee.”

To protect countries and their trade from cyberattacks, Shire recommends that international and regional laws need to be drafted to prohibit the targeting of critical infrastructure, including bridges, power lines, ports and nuclear power plants, among other facilities.

In 2017, the UN’s Security Council took a step in that direction by adopting a new framework to address the danger of terrorist attacks, including cyber incidents, against critical infrastructure.

The council called upon all member nations to establish criminal responsibility for terrorist attacks aimed at critical infrastructure and to explore ways to exchange information and enhance co-operation in preventing, mitigating and responding to such incidents.

“A bit further down, you could have national cybersecurity strategies that are specifically aimed to harden or improve the defences of critical infrastructure,” says Shires. “A lot of the Gulf states already have those strategies and they mention critical infrastructure as a key point. You must provide both incentives and regulation to ensure that private companies that are operating critical infrastructure meet standards of cybersecurity and don’t leave themselves vulnerable.”

In 2017, the Saudi Arabian Monetary Authority (SAMA) launched a cybersecurity framework detailing data security rules, which include a requirement to encrypt business data, and are applicable to all member organisations regulated by SAMA.

Elsewhere, the UAE’s cybersecurity strategy aims to create strong domestic cyber infrastructure. The latest version of the plan was launched in 2019 by the Telecommunications Regulatory Authority (TRA), the government entity responsible for IT and digital transformation. The strategy aims to protect critical infrastructure assets and build a “world-class” cybersecurity workforce in the UAE, the TRA said in a statement at the time.

In Israel, the National Cyber Directorate is the government body which oversees cybersecurity and defence, formed in 2017 by the merger between the National Cyber Bureau, established in 2012, and the National Cyber Security Authority, created in 2016. The directorate operates at the national level to strengthen the defence of organisations, critical infrastructure and citizens against cyberattacks.

However, no matter how secure networks are, it is difficult, if not impossible, to be completely protected against cyberattacks. Software often has weak points unknown to those tasked with securing systems and removing vulnerabilities; these are known as zero-day vulnerabilities. Malicious actors can exploit zero-day vulnerabilities to cause damage to software, data or a network.

“Some governments [in the Middle East] have done a lot in the last three to five years in terms of coming up with national strategies, plans and standards for cybersecurity, but they still need to do more to ensure that they are protected adequately, especially with regards to the private sector,” says Shires.

The Covid-19 pandemic has made it even more important for countries and companies to have effective cybersecurity strategies in place. While many have adjusted to life online in the last few months, finding workarounds and trying out new digitised processes has meant that the target for cyber criminals has grown much larger.