Regional conflict almost invariably brings with it consequences beyond its initial cause. The surrounding countries and regions suffer in a multitude of ways – from the massive and immediate human misery to ongoing political, economic and civil instability, and more long term diplomatic tensions and wounds that take time to heal.
In recent years, the Middle East has borne the brunt of various international conflicts, notably in countries like Syria, Iraq and Yemen. The resulting instability has ushered in new regional players whose policies and actions dictate the security landscape. On the ground, participants are forced to adapt their tactics to address changing circumstances.
Further still, as conflicts escalate and expand to push against the sides of the established rules of engagement (usually defined during peacetime), warring participants feel increasingly able to experiment with new capabilities under the camouflage of prolonged hostility. This applies as much to cyber tactics as it does to conventional warfare.
This blog will examine two regional conflicts and explain how under their shadows, cyber operations have gone beyond the realms of cyber espionage and cybercrime, and closer towards cyber warfare. Not only this, but it explores how these cyberwar operations, which at first seem to be confined to the two warring factions, can spill outside the region.
The civil war in Syria (and the exacerbation of sectarian conflict that followed) has resulted in Iran and Saudi Arabia becoming two primary regional players, divided along sectarian lines. This regional confrontation has been labelled by some as a type of ‘Cold War’, where both sides are using proxy forces to contend for power and influence in the region whilst avoiding direct conflict. In addition, the confrontation has led to both sides using cyber operations against key economic and political targets. The bulk of these attacks have come from Iran.
In 2012, a widely reported attack on Saudi Arabia, that many believe to be the work of Iranian hackers, targeted Saudi Aramco, the state-owned oil and gas company. The attack, using the Shamoon malware, was believed to have been designed for the sole purpose of destruction. The Shamoon ‘wiper’ malware corrupted the master boot records (MBR) of 30,000 workstations in the organisation, rendering them unusable, crippling Saudi Aramcos operations as a result. A similar attack took place against the Qatari energy firm, RasGas shortly after this. The Shamoon virus resurfaced again in 2016, targeting Saudi government and energy firms.
These attacks, and others conducted by Iranian threat actors, highlight three key factors in this discussion.
First, observers note that these attacks were inherently and exclusively destructive in nature. This contrasts somewhat with the strategies of other major cyber powers. China, for instance, often focuses on mass collection of data and espionage. Russia frequently establishes backdoors in networks, and conducts large scale information operations (this is different when it comes to Ukraine, which will be explained later). For countries like Iran, the aim appears to be to infect as many systems within a target network as possible, and to cause as much damage to business operations as possible. This is conducted in conjunction with Iranian cyber-espionage campaigns against rival nations.
Secondly, these destructive attacks appear to be targeting organisations that are critical to the economic stability of a country. The oil and gas industry in Saudi Arabia, the Gulf and many Middle Eastern countries is the cornerstone of their economies, producing the revenue needed to sustain domestic functions and military operations abroad. Destructive cyberattacks against these critical industries are indicative of how a ‘cyber war’ could play out.
Thirdly, cyberwar-like attacks such as these would not occur as frequently if organisations in the region demonstrated a mature security posture. It has been reported that the Middle East has experienced a major upturn in cyberattacks in the region. Due to the rate of modernisation in the region in recent years, the level of security has unsurprisingly failed to keep up. This confluence of factors has created the ideal conditions for nations like Iran to experiment with how much damage their increasingly sophisticated cyberattacks can do.
The other region that has witnessed unprecedented levels of cyber war in recent years is in Ukraine. The conflict that followed the 2013 Euromaidan demonstrations spawned numerous cyberattacks designed to degrade the nation’s key institutions. Many commentators now agree that Russia is using the regional conflict with Ukraine as a testing ground for cyberwar capabilities, or as a ‘blueprint’ for future attacks against other adversaries.
One prominent example of this, which is now widely assessed to have come from Russia, was the BlackEnergy operation on the Ukrainian power grid that caused a major outage. The malware that was found on industrial control systems (ICS) was identified as KillDisk malware, which (in the same way as Shamoon) worked by “select[ing] files on target systems and corrupt[ing] the master boot record, rendering systems inoperable”. There were even some instances of corruption of firmware in these ICS networks.
A few years later, intelligence officials again pointed the finger at Russian intelligence services in response to the outbreak of the so-called NotPetya virus, which occurred in June 2017. Subsequent analysis of the malware indicates that although it was designed to look like ransomware, and thus seeming like it was the work of money-grabbing cybercriminals, the intent behind it appeared to be disruption and destruction. Ground zero of this attack was Ukraine, impacting numerous organisations from banks to government agencies and energy firms, and even radiation monitoring systems in Chernobyl. Despite Ukraine being the ultimate target however, several large organisations in the West were also badly affected, including the major advertising firm WPP, and law firm DLA Piper.
This fact brings us to a key point of this blog. ‘Cyberwar’ testing operations, under the guise of a regional conflict, often spill over to affect organisations and firms across the world. Implanting worm-like capabilities into malware designed to disrupt and destroy systems within networks can easily get out of control. It is therefore imperative that these regional conflicts are monitored and understood, especially where cyber operations have been identified, and that cyber defences are strengthened accordingly.