Dr Cherian Samuel is a Research Fellow (SS) at Manohar Parrikar Institute for Defence Studies and Analyses, New Delhi. Click here for detailed profile.
Almost imperceptibly, West Asia has become the new frontline of the current manifestation of cyber warfare with various types of cyber weapons being deployed by parties whose identities can only be speculated upon, but presumed to be state and non-state actors from within the region and beyond. Since the discovery of the Stuxnet malware in 2010, no less than five other “cyber weapons” have made their appearance over the past two years. The two recent attacks on energy companies are particularly worrisome since they represent a relentless and rapid escalation in capabilities and intent on the part of the perpetrators.
Stuxnet was directed against the Iranian nuclear programme, and suspicions of US and Israeli involvement were confirmed by subsequent reports. These suspicions arose in the first place because of the sophistication of the malware, which, experts declared, could only be engineered through the resources available to a nation state. After a lull of a year, the Duqu worm was discovered in September 2011, followed in quick succession by the Mahdi, Gauss and Flame malware. While Flame, Duqu and Gauss were said to share similar digital DNA with Stuxnet, being spread predominantly via USB sticks, their primary purpose seemed to be espionage, with their targets ranging from banking to governmental to energy networks. Flame, in particular, was noted for its modular nature, and its size, averaging 20 MB. Its capabilities ranged from recording Skype conversations and downloading information from smart phones to more mundane activities such as recording audio, screenshots, keystroke and network traffic recording. The Mahdi Trojan seemed to have different godfathers and was spread via phishing emails even though its purpose was also apparently espionage. Infections were reported from Iran, Israel, Afghanistan, the United Arab Emirates, Saudi Arabia, Syria, Lebanon and Egypt.
In April 2012, there were reports of a new virus, Wiper, that was much more malicious, and wiped off the data on all computers that it infected. This virus largely affected networks in Iran. Four months later, the Shamoon virus is reported to have wiped off the data from 30,000 computers of the Saudi Arabian State oil company, Aramco, followed a week later by a similar episode on the networks of the second largest LNG company in the world, Ras Gas of Qatar.
In what has become the norm for such cyber attacks, despite intense investigations by anti-virus companies, the origins of the malware have remained largely in the realm of speculation and inference. While ownership of the Stuxnet (and by inference, its cousins Duqu, Flame and Gauss) malware was claimed by the Obama Administration for electoral purposes, the Shamoon virus is speculated to be a reverse-engineered version of the Wipe virus unleashed by hackers loyal to the Iranian regime. Tit-for-tat attacks look set to become the norm as the countries of the region gird up their cyber loins.
Similarly, existing defences appear to be no match for these malware attacks. The countries of West Asia are among the most pro-active when it comes to controlling cyberspace, with Iran going to the extent of decoupling from the Internet and building its own national Intranet. The energy infrastructure companies that were attacked are among the biggest in the field and would no doubt have had many layered defences against such attacks, to no avail. In their defence, the critical infrastructure itself was not affected by the attacks. It must also be mentioned that the behaviour of some of the malware has been akin to sleeper cells, programmed to awaken on command and carry out instructions sent from command and control servers. As in the case of the modularly designed Flame malware, they can be used for multiple purposes, based on requirement.
From India’s perspective, there is much cause for concern in these developments. With a substantial part of its oil imports coming from the region, attacks on the global energy infrastructure centred in West Asia could have enormous repercussions on India. Unlike physical attacks which have been held at bay through international pressure, the anonymity of cyber attacks and the absence of norms and conventions make it difficult for the international community to restrain such acts. The sudden loss of petroleum supplies can be cushioned through a strategic petroleum reserve but efforts on to build such a reserve since 2004 are yet to bear fruition. Since gas has become a crucial energy component, the feasibility of establishing a Strategic Gas Reserve could also be considered.
Of more immediate concern are the vulnerabilities in Indian critical infrastructure which could render them vulnerable to similar attacks. While prediction and prevention strategies are all to the good, even greater emphasis needs to be placed on effective recovery strategies. All of this calls for greater coordination between the motley government, public and private enterprises that together run the country’s critical infrastructure.
Cyber attacks can have devastating results in terms of loss of livelihood, destruction of the economy and anarchy in society. Loss of life alone can no longer be a barometer of devastation. It is as important to have contingency plans ready to deal with all eventualities, as it is for countries to come together to nip this scourge in the bud, and to call out the rogue actors.
The Invisible War in West Asia
More from the author
Almost imperceptibly, West Asia has become the new frontline of the current manifestation of cyber warfare with various types of cyber weapons being deployed by parties whose identities can only be speculated upon, but presumed to be state and non-state actors from within the region and beyond. Since the discovery of the Stuxnet malware in 2010, no less than five other “cyber weapons” have made their appearance over the past two years. The two recent attacks on energy companies are particularly worrisome since they represent a relentless and rapid escalation in capabilities and intent on the part of the perpetrators.
Stuxnet was directed against the Iranian nuclear programme, and suspicions of US and Israeli involvement were confirmed by subsequent reports. These suspicions arose in the first place because of the sophistication of the malware, which, experts declared, could only be engineered through the resources available to a nation state. After a lull of a year, the Duqu worm was discovered in September 2011, followed in quick succession by the Mahdi, Gauss and Flame malware. While Flame, Duqu and Gauss were said to share similar digital DNA with Stuxnet, being spread predominantly via USB sticks, their primary purpose seemed to be espionage, with their targets ranging from banking to governmental to energy networks. Flame, in particular, was noted for its modular nature, and its size, averaging 20 MB. Its capabilities ranged from recording Skype conversations and downloading information from smart phones to more mundane activities such as recording audio, screenshots, keystroke and network traffic recording. The Mahdi Trojan seemed to have different godfathers and was spread via phishing emails even though its purpose was also apparently espionage. Infections were reported from Iran, Israel, Afghanistan, the United Arab Emirates, Saudi Arabia, Syria, Lebanon and Egypt.
In April 2012, there were reports of a new virus, Wiper, that was much more malicious, and wiped off the data on all computers that it infected. This virus largely affected networks in Iran. Four months later, the Shamoon virus is reported to have wiped off the data from 30,000 computers of the Saudi Arabian State oil company, Aramco, followed a week later by a similar episode on the networks of the second largest LNG company in the world, Ras Gas of Qatar.
In what has become the norm for such cyber attacks, despite intense investigations by anti-virus companies, the origins of the malware have remained largely in the realm of speculation and inference. While ownership of the Stuxnet (and by inference, its cousins Duqu, Flame and Gauss) malware was claimed by the Obama Administration for electoral purposes, the Shamoon virus is speculated to be a reverse-engineered version of the Wipe virus unleashed by hackers loyal to the Iranian regime. Tit-for-tat attacks look set to become the norm as the countries of the region gird up their cyber loins.
Similarly, existing defences appear to be no match for these malware attacks. The countries of West Asia are among the most pro-active when it comes to controlling cyberspace, with Iran going to the extent of decoupling from the Internet and building its own national Intranet. The energy infrastructure companies that were attacked are among the biggest in the field and would no doubt have had many layered defences against such attacks, to no avail. In their defence, the critical infrastructure itself was not affected by the attacks. It must also be mentioned that the behaviour of some of the malware has been akin to sleeper cells, programmed to awaken on command and carry out instructions sent from command and control servers. As in the case of the modularly designed Flame malware, they can be used for multiple purposes, based on requirement.
From India’s perspective, there is much cause for concern in these developments. With a substantial part of its oil imports coming from the region, attacks on the global energy infrastructure centred in West Asia could have enormous repercussions on India. Unlike physical attacks which have been held at bay through international pressure, the anonymity of cyber attacks and the absence of norms and conventions make it difficult for the international community to restrain such acts. The sudden loss of petroleum supplies can be cushioned through a strategic petroleum reserve but efforts on to build such a reserve since 2004 are yet to bear fruition. Since gas has become a crucial energy component, the feasibility of establishing a Strategic Gas Reserve could also be considered.
Of more immediate concern are the vulnerabilities in Indian critical infrastructure which could render them vulnerable to similar attacks. While prediction and prevention strategies are all to the good, even greater emphasis needs to be placed on effective recovery strategies. All of this calls for greater coordination between the motley government, public and private enterprises that together run the country’s critical infrastructure.
Cyber attacks can have devastating results in terms of loss of livelihood, destruction of the economy and anarchy in society. Loss of life alone can no longer be a barometer of devastation. It is as important to have contingency plans ready to deal with all eventualities, as it is for countries to come together to nip this scourge in the bud, and to call out the rogue actors.
Related Publications