In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back

American officials believe a virus unleashed on an oil giant was a return volley in a conflict begun by the United States and Israel with software that targeted Iran’s centrifuges.

Comments: 84

  1. Last August, Republican senators voted down an administration proposal to make key companies prepare for cyber attacks. The US Chamber had objected it was too expensive. Republicans are quite willing to throw national security under the bus to help their rich allies.

  2. Want to be more secure? Don't launch attacks against others for a starter.

  3. This is essentiallty the same group who currently deny "global warming" and spend millions to prevent any measures to be taken against the causes. It is a group dedicated to their own short-term gain and blind to any long-term cosnsequences. Understandable, as they are all over 60 and don't have to worry about "long term". Any of you out there with long-term prospects should consider this in all your decisions.

  4. designer in New York

    "This is essentiallty the same group who currently deny "global warming""

    It's now called Climate Change. Please keep up.

  5. What is the reason your sources are not identified by name?

  6. Well with the help of Israel, we created this cyber war. What do we expect. Iran to turn the other cheek?

  7. This could be as much an Israeli op, as an Iranian one. Let's face it, Israel has a lot more to gain from setting up the Saudis against the Iranians , than Iranians do from a tit for tat attack with no material gain.
    Also the story itself has a few holes in it. For starters a hacker does not have to wait for a public holiday to launch a virus attack on the largest oil company on the planet. Secondly there are no secrets to be stolen and third, Aramco probably has one of the most sophisticated security systems against silly attacks like this.
    My verdict;
    This story does not make sense.

  8. All of the viruses used against Iran were basically released onto the internet; if you want a copy of Stuxnet, you merely have to look for it. Presumably any half-way resourceful group can grab onto the stuff the US/Israel released, and re-engineer it (not necessarily competently, but......).

  9. Doubtful. If you are a regular reader of the New York Times, you would know there are 'not so secret' relations between Israel and Saudi Arabia.
    Saudi Arabia has helped in the planning of sanctions by replacing much of the lost Iranian oil due to sanctions. Also, Saudi Arabia is Iran's regional adversary in the Middle East. There is DEFINITELY no love lost between Iran and Saudi Arabia.

  10. What they would have to gain is reminding people that they're not entirely helpless short of military means, and therefore without providing much excuse for a significant escalation (i.e. blocking Hormuz would /much/ more likely to cause a very significant response).

    This is both for internal consumption (taking hits without hitting back isn't great for morale, generally) and external consumption (specifically, US and Israel, pointing out that retaliation doesn't have to be against the original attacker to be damaging to the attacker's interests).

    The US isn't eager to attack Iran militarily, since that has substantially negative consequences for both (from the US POV -- aside from the obvious direct costs in personnel and money -- disruptions to economy from instability in oil market, increased Hizbollah activity likely in Lebanon and elsewhere, increased unrest among sympathetic Shia in Iraq, anti-Americanism uptick expected in most of Islamic world suspicious of our motives...). However, Iran might be concerned that the US sees computer infrastructure attacks as 'free -- not likely to provoke those consequences, less likely to be retaliated against'. It is therefore in the Iranian government's interests to suggest that such things are not necessarily as wildly asymmetric as they might appear.

  11. Why would we allow this?

    The Iranians are utterly inferior to us in every conceivable way, and the proper application of force would clearly bring them quickly to heel. We could easily destroy their telecom infrastructure and take them off line with minimal collateral damage and no more engagement on our part than a few sea launched cruise missiles. Instead, we are crying about being hit by these diminutive bullies.

    With a real president, America would have swatted the gnat that is Iran by now. Let's elect one.

  12. JMA, not only the Iranians but also the Europeans, Asians, Africans, Australians and Latin Americans are inferior to you. We bow to your supremacy and offer daily prayers to the dazzling light that emanates from your nation and suffuses this planet's very being.

  13. The Greeks had a name for this: Hubris.

  14. Sure, we launch an attack and win a war with Iran in only a few weeks time, without a drop of American blood spilled, and they will greet us as liberators...

  15. Maybe now you see why we need some "DAYLIGHT" between the the USA and Israel .

  16. Why this thought? Do you blame Israel for computer attacks? Every computer system is vulnerable; if a code can be written, it can be hacked.

  17. Don't know about the computer war the US started, but I hold them responsible for the murders of Iranian scientists.

  18. Absolutely.

  19. We have known for decades how to design against software vulnerability. The problem is a belief in the United States and other countries that by keeping all computers vulnerable, we can win the war. However, our critical infrsatructure is more vulnerable than the weapon systems of our adversaries. Industrialized and highly connected nations are more vulnerable than those less developed. This is a war in which our loss is inevitable if we continue with this strategy.

  20. The most obvious defense is "disconnect". Vital facilities like dams, power stations and munitions depots should not be connected in any way to the outside world or the internet. It may be convenient to "work from home" or "browse the net" but not on control systems for critical functions. Cut them off and place them in secure facilities is a low-tech but certain protection. You can't hack what you can't reach.

  21. designer --

    Air gaps are insufficient. For instance, default login/password combinations should be removed; sane password policies should be used (such as encouraging the use of long-ish but memorable phrases, and not requiring that they be so bizarrely constructed that people write them down...); admins need to pay attention to security updates; monitoring and logging...

    ...and physical security is critical, too. For instance, even isolating a corporate network doesn't mean that the computers themselves are isolated if employees connect portable storage devices (compact flash, portable hard drive, digital cameras, smartphones...). That's one way to sneak malware into (or, for that matter, proprietary data out of) systems even if there's a true air gap.

  22. Isn't there a flip side to the coin, so to speak, of non-digital preparedness for cyber attacks. In debate-speak, aren't our military leaders still hoarding supplies of horses and bayonets, if U know what I mean?

  23. People who live in glass houses should really think long and hard before throwing stones.

  24. I could not agree with you more.

  25. "People who work in Langley, Virginia should really think long and hard before hitting the "send" button."

  26. I believe the key word in this piece is "retaliation". However I would not put it past Israel to be the infector of this virus.
    That being said, I think it's high time the "defense dept." came to the realization that the next war will not be the traditional conflict of ships, tanks, and foot soldiers, but will be cyber attacks. Just think how or whole economy could be destroyed by cyber attacks agains our communications systems. Instead of spending billions on nuclear subs and aircraft carriers they should be spending the money on cyber defense.

  27. A number of previous comments address the "glass house" admonition rightly. In what class of logic would it not become obvious that when one embarks upon a tactic they believe effective do they not recognize the enemy will adopt it as well?

    Unfortunately our position of world leadership through use of military and economic power is no longer effective, particularly in the Middle East. The competition from China alone has changed that approach. Then there is the blind support for Israel that ignores our own interests. We joined iIsrael n the cyber attack on Iran (Stuxnet) which has been turned on us.

  28. Same old story we have been living through for decades. When you attack someone else, they respond with their own attack. Basic schoolyard bully mentality. Our trillion dollar national security system merely creates mass insecurity. Money well spent!

  29. Not that I would mind were Iran's nuclear capabilities vaporized by an air strike for any plausible reason, but this cyber-attack seems to me to be a set up. Ordinarily the bully takes the credit for the bullying. In this case, the bully is crying, "Hey, no fair"!

  30. It doesn't take an advanced military or vast industrial complex to win this war. It doesn't require a roomful of generals and politicians to hammer out strategy and propaganda. You don't need public buy-in or any a declaration of war. The attackers don't even need to risk their lives. All it really takes is a few geeks with an Internet connection.

  31. No one seems to consider the possibility that these attacks against giant oil and gas companies could be the work of an individual, or a small group of inidviduals, who hate giant oil and gas companies.

  32. Now we know who the real patriots are.

  33. This seems to be a very critical issue that everybody in this world should take a time to think about.What would happen if major bank's websites,business,Universities records,army headquarter etc are attacked.
    Terrorists are terrorist.They don't play a game with rule.

  34. Honestly, it was to be expected. It was only a matter of time before Iran tried to return the favor. I would expect Iran to lash out in a multitude of ways as the sanctions begin to squeeze where it counts.

  35. Oh, look, look. People advocating war with Iran. Gee, somehow this reminds me of something that took place oh, say, a decade ago with WMDs.

    Are we this stupid? Do we want another war in the Middle East? Iran has done nothing to us.

    Attacking them would prove that we are nothing but stupid bullies who will go to war with anyone, and are anxious to do so.

  36. The US was the first nation to develop an atomic bomb. Its elation was short-lived, though, for others soon caught up -- deterrence morphed into mutually assured destruction. Why would it be any different with cyberweapons such as worms and viruses?

  37. The US is the only country to have USED atomic bombs, ever. Ask the inhabitants of Hiroshima and Nagasaki and their descendants what that means.

  38. The USA went from a strong defensive strategy to a strong offensive strategy after WWII. It hasn't decisively win a war since. One war after another, nothing but lost lives, a mess in its wake, decades of lingering animosity, trillions wasted and the loss of the world's respect.

    Here's an example of what to future has to offer. An educational system probably about par with some run down state run by fanatics under the guise of religion. Oh, and bickering fools spouting nonsense about two candidates that would challenged to run a 7/11.

  39. “Foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout the country . . . They are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life.”

    — Defense Secretary Leon Panetta, 11 October.

    Oh, hey, look. Unsubstantiated information released on a cyber attack that happened two months ago?

    Burning American flags? Oh, the horror!

    Well it looks like you were right, Leon. Let's just go ahead with a bunch of legislation now that will control our domestic internet usage and capability. We all knew it was coming, anyways.

  40. Cyber terrorism is terrorism by another name and the US unleashed it, again. It was a dangerous and reckless move, and now we will reap what we sowed.

  41. So, it was an inside job, like a bank teller stealing from the vault, a security guard purposely leaving a warehouse door unlocked, or an Afghan soldier turning on his American trainer.  Why then all the hand-wringing about "cyber attacks" and the need for more "cyber security"?
    Even without the use of a scary-sounding virus, any insider with administrative access could have achieved the same effect with a few trivial lines of script.  This attack simply points out the need for greater vetting of those in positions of trust.

  42. "Insider" doesn't necessarily mean that the individual who introduced the attack (not necessarily consciously) actually had any unusual privileges other than having access to the internal network.

    Aside from vetting, this also encourages layered security -- one should not just rely on a corporate firewall and, say, trust employees to not behave naively when opening suspicious e-mail attachments or playing Flash games on personal computers connected to the corporate network (!) or on poorly maintained systems (well behind in patches, or misconfigured) for instance.

  43. Somebody wants a billion dollar contract for SECURITY!

  44. "That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus..."

  45. If this is a "wake-up" call, who has been asleep?
    Keep dreaming. Does anyone who has a modicum of knowledge of Iran, really think they don't have the ability to defend themselves.and/or retalitate if we continue our belligerence against them.?
    By the way, the idea for the cease-fire with Syria on the upcoming holiday was proposed by Iran . ..a fact ignored by our media..

  46. I just heard that on the radio in my local news.

  47. And all this happens while our Candidates argue over ships and submarines.....

    Why not redirect some of the Engineers of Northrup Grumann or Lockheed Martin away from useless ship design and apply their skills in finding anti-cyber solutions. Everybody wins.

  48. Ship design engineers are not trained to perform cyber-security tasks. Designing ships and cyber security are like apples and oranges.

  49. Why is ship design useless?

    Plus, speaking as a mechanical engineer, there are vastly different skill sets between designing and building a Navy destroyer and writing lines of code for a cyber attack or defense.

  50. Live by the sword...die by it.
    what do you expect?

  51. Once again we have a story from the Times on a computer virus that makes no mention about what operating system was running on the targeted computers. From the fact that Symantec was called in, it seems pretty likely that it was Microsoft Windows. Who even knows what version of Windows was in use, whether all the required security patches were up-to-date, etc., etc. Vast "monocultures" of networked Windows computers are, by far, more vulnerable to these sorts of attacks than any other computing infrastructure, particularly ones that include Unix-based workstations running Mac OS X or Linux.

    That said, the fact that the perpetrator(s) had administrative access to the network means that all bets are off when it comes to security. This was not apparently an attack conducted over the Internet (nor was Stuxnet, by the way) but one conducted in person by skilled agents inside Aramco. No security system is going to prevent adminstrators with physical and network access from destroying computer systems if they put their minds to it.

  52. As an IT guy, the greatest concern is being sure the virus is truly eradicated and not lying dormant, hiding somewhere on a still-infected machine, ready to come back to life and reinfect the network. The data files that were erased should be easily restored from an offline backup.

  53. The fly in that ointment is you don't know if the backups contain the virus too.

    So unless you virus-scan the backups first with an updated (to the new threat) virus scanner you might re-release the virus, it sees the time has passed and goes into action again. Indeed their may be encrypted versions of it in the backup that won't be detected - but an insider can then release them anew...

    Virus writers are getting more and more sophisticated with their anti-anti-virus strategies as well as post-action strategies.

  54. We dropped the frist Atomic Bomb and were utterly surprised when the Russians caught up with us and competed with us in a nuclear arms race; neither nation was more secure; both paided a price in wasted resources and wasted lives.
    Cyber warfare is another example of short term clever, long term dumb. Michael Hayden, former head of the NSA pointed out that there would be consequences for the U.S. in initiating cyber warfare against Iran. Surprise!

  55. The first Russian atomic bomb looked exactly like "Fat Man" for the simple reason that it was a near identical copy. The Russians spied their way to the bomb. Once they understood the "recipe" their physicists were able to make more advances.

  56. You mean if the US did not pursue the Atomic bomb, no other country would have tried? Do you mean if US do not pursue cyberwarfare, no other country will develope their capability to do so? I don't have a great answer to these escalations, but simplistic reasoning doesn't help either.

  57. There are clues everywhere that cyberwar is already underway. The very public failures of the North Korean satellite launches. The recent failure of the Northern Virginia "Amazon Cloud." With election day nearing, we should be vigilant for domestic cyber attacks, throwing the results into question and creating doubt about the legitimacy of our executive and legislative branches that could only be resolved by the votes of nine justices.

  58. There is no doubt about the legitimacy of our government, so we don't need to worry about that.

  59. Shamoon--reminds me of the wind in Herodotus (Simoon)
    that a Saharan country fought against.
    Hacking is both "our" last best defense and our worst enemy, and fighting it can be like attacking the wind.

  60. Why do we instigate such things, then cry "foul!" when the other guy (country) decides to give us a taste of our own medicine? Why are we so shocked when they actually imitate us? Maybe it wouldn't have even occurred to them if we hadn't started down this road first.

  61. I, like many people in the US and around the world, get paid electronically. I don't receive a check or paper money, it's purely digital. I then purchase all of my goods and services using a credit card. At the end of the month I pay my credit card and my other creditors electronically, no paper check, no paper money, purely digital. I can buy and sell stocks and bonds in the same way.

    Secretary of Defense Panetta is correct, cyber threat is the biggest threat in the world. Entire economies can be collapsed, poised, distorted, all through electronic means.

    We thought no paper ballot was dangerous in voting and yet no one is screaming about the vulnerabilities of a fully automated and digital economy.

  62. Iranian leaders have selected their enemies carefully from a list of nation fearful that any further provocation might advance the situation to war. They never pick a nation to go after that might strike back. If we have decided to do nothing when cyber attacked then we are inviting more attacks. When the world allows Iranian diplomacy to walk all over it's collective goals and aspirations for a better and more peaceful world then the world is failing.. Thankfully the Obama sanctions seem to be pressing hard on Iran and has show Iran that it cannot waltz around arrogantly terrorizing the global community as it wishes with a stern reaction. The relationship between world nations should be peaceful and healthy and no nation should try and harm others by getting over on them. People on Earth all decend from the same African population of ancient beings and it is no deity above but rather a self centered culture and society that selects and draws the divisions and differences that mankinds wallows in. The world fearfully awaits the day when Iran miscalculates and overeaches and causes a reaction that leads to total war. Hurling insults and making cyber war is not the way for Iran's leaders to act and the proud and noble Iranian people could do better. Ken C. Arnold Santa Monica, Ca

  63. Of course, the puppet kingdom couldn't figure it out. Time to stop coddling the source of Al Qaeda.

  64. Maybe the Israeli intelligence service, Mossad, known for assassinations around the world for anybody opposing the Jewish country of Israel, maybe, they attacked the Saudi Arabian company to stir up more conflict in the Arab world. It then permits more American weapons to be sold in the Arab world, more money wasted, more confusion, more conflict; all so that Israel can survive. Israel cannot seem to survive as a normal and natural country, so, they can only survive by being mean and devious; all with the complicity of the American government.
    We need open dialogue, why is it forgotten that the Muslims are the only people that never systematically abused Jews? Who invited the Jews to escape from the Christian inquisition, it was Muslims!
    So, the Saudi company that was cyberattacked, was it really Iran, or was it an Israeli attack, as Israel cyberattacked Iran, bombed Iraqi and Syrian nuclear power plants?

  65. @Karim: "We need open dialogue, why is it forgotten that the Muslims are the only people that never systematically abused Jews? Who invited the Jews to escape from the Christian inquisition, it was Muslims!"

    You may be correct about the Inquisition, but your grasp on the 20th century diaspora of mid-eastern jews is totally wrong.

    I personally know many Jewish families who were forced to leave their ancestral homes in Arabic countries, who had their homes and livlihoods confiscated.

    Many are here in NYC.

  66. faceless, do you think a few Arab families might have had their homes and livelihoods confiscated by Jewish people?

  67. Oh well! Had you not supported Israel, Nation of War Crimes and Murderers of Civilians, 9/11 would never have happened. Had you not created Stuxnet and Flame at the behest of Israel, you would not have given a weapon to your own enemies. Even now, the Isreali created company Narus is giving the NSA far ranging Deep Packet Inspection and Storage abilities to the NSA's Utah Data Center- expressly created and designed to capture and decrypt ALL American data and voice communication and store it indefinitely. Supporting Israel is not only counter to American interests; it is counter to the Interests of Humanity at large. Their only concern is Israel and let the rest of the World can burn otherwise.

  68. " The attack, intelligence officials say, was a wake-up call. “It proved you don’t have to be sophisticated to do a lot of damage,” said Richard A. Clarke, the former counterterrorism official at the National Security Council."
    No kidding! And, it doesn't even begin to to tally the cost of immediate and on-going counter and defensive measures companies and countries have to take. carrying out the horrible 9/11 cost the Jihadis and terrorists about a million dollars. Our response - Iraq and Afghanistan wars and on-going cost of caring for the wounded, spending on homeland security, loss of productivity will end up costing 5 Trillion. Our enemies have figured out an economic formula. Sophisticated or not they can spend a dollar on some action to harm us or create fear. We will spend thousand fold in response. Who will go bankrupt first? The world has changed but American mindset and its ways of responding has not. 50% of global spend on military by USA is the proof. Are we getting the commensurate economic benefit? Think about that before voting for Romney and signing off on additional waste of $2 trillion on the military and defense. Especially, if you are a Republican who likes to do cost benefit analysis of government spending.

  69. And why was Aramco running Microsoft Windows
    on a mission-critical system? The people who made
    the purchasing decisions for the computers and software
    should be fired.

  70. Too bad that more of our leaders do not understand science and mathematics They mistakenly believe that the U.S. is special. Only the U.S. will be able to figure these challenging problems out. As any physicist will tell you, the pattern for creating a nuclear warhead is actually straightforward. Sure, you can make the weapon a bit more efficient if you have great technical know-how, but to make a nuclear weapon .... really not that hard. Computer coding is very similar. All it take is a bit of time. Developing a virus or a worm is a challenge, but the problem is doable. The patterns of science and mathematics are the same in Tehran or Istanbul or Ann Arbor or Palo Alto. Go figure.

  71. The usual purpose of cyberwar is not to destroy equipment or data (as suggested by this attack). Instead, it's more commonly used to convey a message, as a deception ('red herring') or as a psychological operation to change attitudes or demoralize.

    Given that “...not a drop of oil had been spilled...”, we can assume that this might have been the case here. It's reasonable that whoever carried out this attack could have just as easily disrupted Saudi oil production. But they didn't.

    Joint Chiefs of Staff (1994) gives us a small insight into the these tactics. It's a bona-fide U.S. Gov't strategy for carrying out deliberate deception (but every military around the world uses similar methods). It defines this as:

    "Military deception is defined as being those actions executed to deliberately mislead adversary military decision makers as to friendly military capabilities, intentions, and operations, thereby causing the adversary to take specific actions (or inactions) that will contribute to the accomplishment of the friendly mission." (p. I-1)

    For example, the attack may have also been a cover to measure Saudi Aramco's computer defenses. This is a common technique in electronic warfare, which can be used to:

    "Establish and monitor feedback channels to evaluate success of the deception operation through observation of the adversary's reactions." (ibid, p. II-2)

    Cite:

    Joint Chiefs of Staff, Joint Doctrine for Military Deception, Joint Pub 3-58 (6 JUNE 1994)

  72. "It's reasonable that whoever carried out this attack could have just as easily disrupted Saudi oil production. But they didn't."

    I wouldn't jump to that conclusion. The article notes that the administrative network which was attacked was separate from the production network which remained in operation. Just because the perpetrators had physical and administrative access to the administrative network does not mean thay would have enjoyed the same level of access to the production network. The mere fact the networks were separate suggests they were designed to require unique access credentials.

  73. Can you say India infrastructural failure..

  74. @ Peter Metro Boston “...separate from production network...”

    You may be right.

    My feeling is that things like erasing data and showing “... a burning American flag” was done as a public display, though. These perpetrators weren't trying to hide their activities. They appear to be state sponsored actors who wanted to be seen. To quote Joint Chiefs of Staff (1994):

    "display. In military deception, a static portrayal of an activity, force, or equipment intended to deceive the adversary's visual observation." (ibid p. GL-3)

    Cyberwar techniques are more commonly used to quietly observe the system and make subtle, virtually undetectable changes. If they only had access to the administrative system then they could have easily harmed the production side. These tactics generally take longer and are much less spectacular, but they would do the job.

    In the language of deception, this is called 'creating phenomenon'. For example: reducing maintenance schedules on high-failure equipment; changing replacement part numbers or ordering the wrong parts (i.e. installing defective parts); changing repair manuals; re-routing transportation; terminating key employees by falsifying records (drug tests, criminal background checks, time sheets, field reports, etc.). The possibilities are endless.

    There's an old saying: to take over control of a company you don't need to buy a controlling interest in their stock. You only need to take over their management information system (MIS).

  75. Lie down with dogs (Stuxnet & Owners) you will pick up fleas.

  76. We are doom!!!... If these fanatics get access to our energy infrastructure we would be going to the stone age. These days with all the mobile technology and sophisticated networks that run our lives from the minute we wake up to the time we go back to bed.... doom!!!!... People, start saving water, food and plenty of cash somewhere in your house or farm, once they attack the water and energy systems we won't be able to scape the chaos!!.. All these cyber attacks are a simple warning for what the future is holding. Please tell all your loved ones and keep your children on alert, this is a serious war we are looking at.

  77. At least it's a war that sheds no blood. Until of course the perps are caught.
    Either way it's disgusting and uncalled for.
    I don't care what name you give Him, he's still God and when you do go, He'll deal with you in the proper manner based on your performance here on Earth using the life He gave you.

  78. We shouldn't be suprised that someone took our tactics, turned them around & used them for their own purposes. When is this going to happen with some of the other weapons we employ in other countries, specifically, the drones?

  79. The sky is not falling. There are just some Iranians who are good at their job.

  80. It was intriguing why the malware wiped the files and made the machine unusable, instead of staying under the radar and collect information. This act of sabotage was a means of flexing muscles. The hackers were no cyber-thieves that wanted to steal credit card numbers, online bank account credentials and other valuable digital assets such as login names and passwords. They were state actors.

  81. could have been anyone, a ten year old , important decisive information should not be left up to a fickled machine called the internet

  82. What does an EMP, solar flair and Hacked networks have in common? Each is currently capable of wrecking any of our electronic controlled infrastructures. Not a pretty picture. Which is why every Windows 8 will have the ability when connected to the net to be remotely shut down as" AN UNAUTHORIZED COPY" a good thing really to kill zombie pc's aiding any attack that threatens our county security if needed.

  83. ---if you cyber-attack me I `ll cyber-attack you---if your drones kill me my drones will kill you---shhhhhhhhhhhh!---now settle down children---once upon a time there was a giant who ruled the whole world---but-------------

  84. Well I like Arabian horsesbit love the older term,
    "Persian Gulf". Guess that dates me but it seems
    to have a lot of resonance. That bein said, yikes.
    Always enjoy hearing from Richard Clarke.