Theft of Saudi documents suggests an Iranian hack – Hugh Naylor/The Washington Post
BEIRUT — The purported theft of confidential Saudi documents that have been released by WikiLeaks bears the hallmarks of Iranian hackers linked to cyberattacks in more than a dozen countries, including the United States, according to cybersecurity experts and Middle East analysts.
Last week, WikiLeaks published about 70,000 of what it said were half a million documents obtained from Saudi Arabia’s Foreign Ministry. The transparency advocacy group promises more releases of the diplomatic cables, whose authenticity has not been independently verified.
Experts said that the cables, apparently stolen over the past year, paint an unflattering portrait of Saudi diplomacy as reliant on oil-wealth patronage and obsessed with Iran, the kingdom’s chief rival, but appeared to contain no shocking revelations.
More intriguing, they said, are signs of Iran’s involvement in the breach, suggesting a growing resort to — and proficiency in — cyberwarfare in that country’s long-running confrontation with Saudi Arabia and the West.
“These events fit a pattern that looks and smells like Iranian-proxy actors,” said Jen Weedon, manager of threat intelligence at FireEye, a California-based firm specializing in cybersecurity. Although more information is needed to confirm the source of the attacks, she said, the incident “definitely resembles past activity that we’ve seen by Iranian groups.”
Iranian-sponsored cyberattacks have surged in recent years, cybersecurity firms and Middle East analysts say, following an attack on Iran using a computer virus allegedly created by the United States and Israel. Discovered in 2010, the virus, known as Stuxnet, destroyed centrifuges used in Iran’s nuclear program, which Israel and the West say is intended to produce nuclear weapons. Iran denies the allegation.
The publication of documents comes ahead of a June 30 deadline for negotiations between Iran and six countries, including the United States, to resolve the crisis over the disputed Iranian nuclear program.
Abdullah al-Ali, who heads Cyberkov, a Kuwait-based cybersecurity firm, said the Saudi government has already identified Iranian hackers as the source of the Foreign Ministry breach, which he said started last summer.
He referred to a Saudi cable released by WikiLeaks that shows e-mails among ministry employees discussing an international cyberattack dubbed Operation Cleaver, which began targeting the ministry on July 14, 2014. In the cable, dated Feb. 15, 2015, the employees cite an internal investigation that identifies “Iranian Actors” as part of the attack, which used a phishing technique to infect computers with data-extracting malware.
The U.S. cybersecurity firm Cylance said in a report last year that Iranian hackers carried out Operation Cleaver, which it said targeted 16 countries, including the United States, and affected dozens of government entities and companies involved in transportation, and medical and energy services.
Cyberkov’s Ali described the hack of the Saudi Foreign Ministry as compromising “the entire network” and as “the biggest sensitive-data-extrusion disaster since the Internet was introduced to the Middle East.”
In an e-mail, Hamid Babaei, a spokesman for Iran’s mission to the United Nations in New York, denied Iranian involvement in the Saudi leaks.
Osama Nugali, a Saudi Foreign Ministry spokesman, would not confirm or deny a cyber breach at the ministry. He said some of the documents released by WikiLeaks are fabricated, but he declined to discuss details during a telephone interview, citing “an ongoing investigation.”
U.S. officials and cybersecurity firms have accused Iran’s government of leading a number of sophisticated cyberattacks. They include attacks on major banks, such as Citigroup and Bank of America, beginning in 2012 by a group calling itself Izz ad-Din al-Qassam Cyber Fighters, which officials and experts say is a cover for Iran.
Although not as advanced as other countries known for state-sponsored hacking, such as Russia and China, Iran is becoming more proficient, experts say, particularly in the use of online propaganda.
Phillip Smyth, a researcher at the University of Maryland who specializes in the politics of Iran and its allies, said the country is escalating its use of social media, as well as cyberattacks, to promote its regional policies. Pro-Iran social media activity picked up, for instance, when Iranian-aligned militias from Lebanon and Iraq joined in Syria’s civil war on behalf of President Bashar al-Assad, he said. Assad’s government is a key ally of Iran.
The Saudi Foreign Ministry breach also “bears all the hallmarks of an Iranian-run operation,” Smyth said, noting that WikiLeaks apparently obtained the cables during the Saudis’ ongoing war in Yemen. Since late March, a coalition led by the Saudis has been carrying out airstrikes against Yemen’s Shiite rebels, known as Houthis, who are allies of Iran.
“It’s all certainly suspicious,” he said.
Saudi Arabia, a Sunni powerhouse, views the Houthis as proxies of Iran, which also is Shiite. The conflict appears to be another of a number of regional proxy contests between Iran and Saudi Arabia that include Syria’s civil war.
A report released Friday by Recorded Future, a firm based in Massachusetts and Sweden that specializes in predictive analytics, describes similarities between Iranian-linked hackers and the Yemen Cyber Army, which last month claimed responsibility for the Saudi Foreign Ministry hack. The little-known group said the move was retaliation for the Saudi-led attacks in Yemen.
Among the indicators of the source of the cyberattack, the report notes, is that the Yemen Cyber Army uses a file-sharing site, QuickLeak.ir, to dump stolen documents that is rarely used by typical so-called hacktivist groups but has been used by the Iranian-linked group Parastoo.
The study points out that the Yemen Cyber Army noticeably lacks a presence on popular social media sites, unlike other hacktivist organizations, such as the Syrian Electronic Army, that advertise their exploits on Twitter and Facebook.
Calling that “extremely odd,” the report likens the Yemen Cyber Army to Izz ad-Din al-Qassam Cyber Fighters and other Iranian hacker groups, such as Parastoo and the Iranian Cyber Army, that also lack a social media presence.
Recorded Future also notes the group’s “close coordination” with Iranian media, pointing out that Iran’s semiofficial Fars News Agency was the first to report its claim. Recorded Future commented: “The news outlet quickly emerges as the [Yemen Cyber Army’s] mouthpiece.”
In a statement announcing the release of the Saudi cables, WikiLeaks references the Yemen Cyber Army but does not identify it as the source of the documents. In an e-mail, a WikiLeaks spokesman declined to give details on how the group obtained the Saudi cables or when hackers obtained the documents.