Ridiculous Administration Premise on U.S., Iran, and Saudi Aramco

Nicole Perlroth's New York Times story - In Cyberattack on Saudi Oil Firm, U.S. sees Iran Firing Back - is a ridiculous premise based on confusing hypotheses regarding malware that may not even have come from the U.S. But before I cover that, I'd like to know in what universe does a country who was on the receiving end of multiple perceived U.S. cyber attacks go after an entirely different nation in revenge?

The answer to that rhetorical question is none. There's no logical reason for Iran to attack Saudi Aramco in order to send a message to the U.S. I've written many times my belief that the Aramco attack was Iran sending a message to Saudi Arabia to not increase its oil production because of sanctions imposed on Iran. That may or may not be true but at least it follows a logical order. 

1. Iran makes a threat to SA - Don't increase your oil production. 

2. SA ignores the threat and increases production anyway.

3. Iran destroys Aramco's 2000 servers and 30,000 workstations.

To believe the Times story, the logic would have to flow differently:

1. Iran is hit by malware that it believes was created by the U.S. which destroyed some servers in its oil ministry.

2. It retaliates against the U.S. by destroying servers owned by Saudi Aramco.

Really? Does that make sense to anyone? 

Apart from that glaring logical inconsistency, there's a factual flaw in Ms. Perlroth's reporting that needs to be corrected. No one has a copy of the original Wiper malware that hit Iran's oil ministry last April so it's impossible to know that it was part of Flame. Further, no one knows who was responsible for Flame because the connection between Flame's creators and Stuxnet/DuQu's creators is limited to the assumption that they "knew each other".  That hardly qualifies as coming from the same nation-state. All in all, this article was far below the quality that I've come to expect from Nicole Perlroth. I hope it doesn't serve to aggravate an already tense situation between between the U.S. and Iran.

UPDATE (24OCT12): I just spoke with Nicole Perlroth and learned that her article was mean't to take a skeptical view of the administration's campaign to pin cyber attacks on Iran. I reread the article and I'm still not clear on which points she was being skeptical about however based upon my respect of her past research, I've changed the name of this post to "Ridiculous Administration Premise ..." instead of "Ridiculous NY Times premise" since that was Ms. Perlroth's intent - to express skepticism of the Administration's position on this issue.

Add to Cart View detail

Was Iran Responsible for Saudi Aramco's Network Attack?

I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil.

The attackers who call themselves the "Cutting Sword of Justice" probably used Shamoon (Symantec's W32.Disttrack). It destroyed 2000 servers and affected business operations based upon this list of affected IP blocks. It looks like Iran tried to mimic the Wiper virus that was used against its oil ministry last April. Kaspersky called Shamoon a copycat of Wiper. The differences were:

The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.

It's also important to note that Wiper was not Flame; that they are two distinct and separate pieces of malware and that the investigation of Wiper led to the discovery of Flame. Since none of the software security companies have a complete copy of Wiper, it makes sense to me that Iran, the victim of the Wiper attack, reverse-engineered or at least mimic'd it to create Shamoon. Kaspersky Labs noted that the start date of the Aramco attack was August 15 11:08 AM (Arabia Standard Time - AST) per the attackers first pastebin posting. This exactly corresponded with a date and time found in the code "15th August 2012 08:08 UTC". The difference between UTC and AST is +3 hours.

Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker.

I understand that Aramco has been vigorously investigating the attack to determine how their network was compromised and that some firings of employees and contractors have already occurred. I've asked Saudi Aramco's public affairs office for a comment but so far no one has returned my call.

UPDATE (23AUG12): I've received new information from knowledgable sources that the attack vector for delivery of the worm was via a USB stick inserted into a workstation at one of Aramco's global offices (not in Saudi Arabia). Further, the timing of the attack was carefully chosen to be one hour before the end of the work day which was the end of the month of Ramadan and the start of the Eid holiday.

RELATED:
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

Add to Cart View detail