Conflicting accounts on ARAMCO hack underscore difficulty of attribution

A recent report suggests that the devastating cyber attack that wiped out thousands of computers belonging to Saudi Arabia’s national oil company was the work of a lone hacker – days after the US Secretary of Defense cited it as an example of a state-sponsored attack.

But what do we really know?

On October 25th, Bloomberg, citing unnamed sources “involved in the investigation,” reported that clues within the Shamoon malware – used in attacks that struck 55,000 computers on Saudi Aramco’s corporate network – suggest a lone attacker who released an “amateurish” virus on the network using an infected USB.

But that report runs counter to earlier reports, and the official line in Washington, D.C., which is that Shamoon is the leading edge of a coming storm of sophisticated, state-sponsored cyber attacks from America’s enemies in the Middle East, Asia and elsewhere.

So who’s right?

It might be worthwhile to review the Shamoon outbreak.

As we reported previously: the malware was released on Aramco’s network on August 15, the day preceding one of the holiest nights of the Islamic year.

The virus spread from computer to computer on Aramco’s network, wiping out critical files from the hard drives of machines it infected and displaying an image of a burning American flag on compromised hosts.

In response, Aramco shut down its entire corporate network as it went about replacing infected drives on 30,000 workstations – a job that took more than 10 days to complete.

The attack at first seemed like a response to an earlier incident: the compromise of systems belonging to Iran’s Oil Ministry in April.

That attack, which forced the temporary closure of Iran’s oil processing facility on Kharg Island, relied on a trusted insider to plant targeted malware specifically designed for the victim’s network environment.

Such an attack suggests some degree of planning and sophistication. Besides, a key component of the Shamoon malware was named “Wiper,” an apparent reference to the malware that was used in the attack on Kharg Island.

But the similarities to so-called “advanced persistent threat” (APT) style attacks end there.

As Sophos’s own malware analysts noted in their report on Shamoon: the malware itself was a ham-fisted and “hackerish” effort that showed none of the sophistication of malicious programs like Stuxnet or Flame.

The malware appeared to be a pastiche of commercial components and publicly available code downloaded from hacker forums. It behaved in ways that were obviously suspicious to malware researchers.

Among other things, the author or authors misspelled key service names used by the malware and readily revealed the identity of its first victim – a fact that made it easy for Aramco to trace the path of infections back to a single workstation and user account.

Yes, the malware deleted files from infected hard drives and attempts to wipe the master boot record of those systems, but didn’t do anything “unrecoverable,” SophosLabs expert Paul Baccas reported at the time.

Things could easily have gone a different way.

Those behind the attacks also made no secret of their compromise: publishing public statements on their attack and the addresses of compromised systems online – not typical of APT-style attacks.

Beyond that, clues in the malware cast doubt on Iran as the source of Shamoon.

As the New York Times reported, the code of the malware refers to the “Arabian Gulf,” rather than the “Persian Gulf” – the term of choice for Iranians.

The evidence of links to Iran in the Shamoon/Aramco attack were “largely circumstantial,” Bloomberg reported, citing interviews with U.S. intelligence officials.

That makes it all the stranger that Defense Secretary Leon Panetta, speaking at a conference for Business Executives for National Security in New York on October 11th, called Shamoon a “very sophisticated tool” and cited the Aramco incident as evidence of the danger of a “Cyber Pearl Harbor.” (A phrase, by the way, that many deem tasteless)

The Shamoon attack, Panetta said, and a subsequent attack on the Qatari firm RasGas was one of the most destructive to date and underscored both advances in malware and the increase in threats to businesses from sophisticated “cyber actors.”

The sad truth may be that cyber security is now a new front in a very old Washington DC parlor game, namely: hyping the threat.

Panetta’s clear goal in his speech wasn’t to warn about the dangers of malware, per se, or even targeted attacks. Instead, it was to talk up the need for comprehensive cyber security legislation that’s been blocked in Congress because of election-related gridlock.

In his speech, Panetta argued that private firms like Aramco don’t have the resources to battle such sophisticated threats alone, he said, underscoring the need for greater public-private partnerships – but that new legislation like the pending CISPA act were needed to enable such collaboration.

As Bloomberg noted, it’s difficult to distinguish the line between acts of cyber warfare and other attacks, including those by politically motivated hacktivist groups, “social malcontents, criminals and others.”

We can understand that getting attribution right in cyber attacks can be difficult. But it’s also true that attribution matters – and loose talk about attacks and their origins can be dangerous, especially when the USA. is making ever louder pronouncements that it is ready and able to respond to cyber attacks using all the tools at its disposal – including both logical and kinetic attacks.

Here’s hoping that we learn from Shamoon, and other malware outbreaks and get it right (or at least “righter”) next time.

 sophos