Another False Flag? "Destructive Iranian Hackers" Allegedly "Wreak Havoc" With Saudi Computer Systems

In what may soon emerge as the latest middle-east diplomatic scandal, not to mention roil the just concluded OPEC deal, Bloomberg reports that state-sponsored hackers have conducted a "series of destructive attacks on Saudi Arabia over the last two weeks, erasing data and wreaking havoc in the computer banks of the agency running the country’s airports and hitting five additional targets." Additionally, “several” government agencies were also targeted in attacks that came from outside the Kingdom, according to state media.

However, according to early reports from a Saudi probe, "digital evidence" suggests the attacks emanated from Iran. While Bloomberg believes that this could present President-elect Donald Trump with a major national security challenge as he steps into the Oval Office, it also threatens to destabilize the recent detente between the two countries, which granted Iran bragging rights to be the only country allowed to boost output as part of the Venna OPEC production cut deal. 

To be sure, one can't discount the possibility of a false flag attack, with the intentional purposes of destabilizing relations. According to Bloomberg, unlike a 2012 attack on Saudi Aramco or the one by North Korea against Sony Pictures in 2014, "the latest was perpetrated by detonating a cyber weapon inside the networks of several targets at once. Concerns over a broader campaign set off a search in computer networks throughout the Gulf for more traces of the digital bomb." It is unclear whether Iran has the technological wherewithall to engage in such a complex cuberattack.

If confirmed that Iran is behind the attack, an angry Saudi response is guaranteed: thousands of computers were destroyed at the headquarters of Saudi’s General Authority of Civil Aviation, which was caught completely by surprise, "erasing critical data and bringing operations there to a halt for several days, according to the people familiar with the investigation." 

The people familiar with the probe didn’t identify the other targets but one said they were all inside Saudi Arabia and included other government ministries in the kingdom, a country where information is highly controlled. Extensive damage occurred at four of the entities but the virus was halted by defensive measures at the other two.

Just like Russia, which the US has blamed repeatedly for engaging in cyberattacks against the US, most recently to destabilize the US election without providing any evidence, and an overture that the Russian FM yesterday told Italy's Corierre della Sera was a "myth", the U.S. considers Iran a major cyberwar adversary. In 2012, U.S. officials accused Iran of being behind months of strikes in 2012 against the websites of major U.S. banks and the infiltration of a small dam 20 miles north of New York City the following year. They also said Iran was behind the attack on Aramco, the world’s largest oil company, which destroyed 35,000 computers within hours.

Then again, perhaps it is just retaliation: Iran itself has been the victim of cyberstrikes, with experts saying that the U.S. and Israel were behind an attack that used the so-called Stuxnet virus to disable operations at an Iranian nuclear enrichment plant at the start of the decade.

While tensions appeared to ease after the Iranian government reached a nuclear-nonproliferation deal last year with the five members of the United Nations Security Council, an accord shepherded by the Obama administration, worries have emerged that Donald Trump may tear up the deal "on day one", as he has threatened to do during his presidential campaign.

Meanwhile, Bloomberg adds that investigators piecing together the computer destruction are trying to determine a motive for the attacks, which occurred in the last three weeks: between Trump’s election and key OPEC meetings. "Anyone who did this attack knows it has implications for the nuclear deal," said James Lewis, director of the strategic technologies program at the Center for Strategic and International Studies in Washington.

According to Lewis the attacks "could be a shot over the bow by Iran." He also admitted that the attack could "possibly the work of another country mimicking Iran in hopes of derailing the accord with a provocative act" however so far, investigators have found no evidence to suggest a country other than Iran was involved in the attacks, as one would expect from a sophisticated false flag operation, perhaps one initiated by Israel which did tremendous damage with the Stuxnet attack on Iran's nuclear infrastructure. However, it’s also possible that attacks of these kind can be mimicked to make them look like they come from a particular country.

"Some of these are signaling operations, testing the threshold. Is the response going to be just a speech or is it going to be something more?" asked Melissa Hathaway, a senior adviser at Harvard University’s Belfer Center and former cyber official in both the Obama and Bush administrations. Like Lewis, she spoke generally and without direct knowledge of the Saudi incident.

To be sure, if it was indeed a false flag, the one country that would stand to benefit the most from impairing relations between Iran and Saudi Arabia would be Israel: the legacy nemesis of Iran has long made it clear that Iran being perceived as an object of stability in the region is against its national interest; several years Netanyahu was allegedly close to launching a campaign to prevent Iran from developing its nuclear program, and was one of the catalysts for the subsequent imposition of sanctions against Iran, which were removed last year as part of Obama's landmark deal.

However, the person who will most likely be left to find a resolution should another middle-east scandal erupt as a result of this hack, will be Donald Trump.

"The next president and his team will have to grapple with these questions probably in the first month, maybe even the first 72 hours," Hathaway said.

The attacks were conducted with the same malware, known as Shamoon, that devastated Saudi Aramco in 2012. Although hackers usually add enhancements to malware to advance its capabilities and make it harder to detect, they used exactly the same file as in the Aramco incident, the people familiar with the investigation said. Shamoon overwrites files and renders the infected computers inoperable by destroying the master boot record. It spreads quickly throughout a network, causing destruction like the digital version of a wildfire.

In a similar move in 2014, Iranian hackers managed to destroy most of the computer network of Sheldon Adelson’s Sands Corp., after the casino magnate angered Iranian leaders by publicly suggesting the use nuclear weapons against the country. The U.S. publicly cited Iran as the culprit.

Concerned there might be additional targets, investigators working the latest case began alerting governments and companies last week. They quietly distributed digital indicators that can be used to determine if the Iranian malware is hiding in other networks. The first samples of the malware used in the latest attack were uploaded on Nov. 16, likely indicating the date of the first attack, according to records from VirusTotal, a malware library.

Finally, should a scandal erupt between the two nations - although we are confident Iran will deny it was the source of the hack -  it is likely that the just concluded OPEC production cut, in which implementation and enforcement of production levels is already questionable, will be put in jeopardy. However, if nothing else, at least Saudi Arabia will have a basis to back out of the deal if and when it so chooses - an outcome many oil experts have said is very likely - having a convenient scapegoat on which to blame the collapse of the "historic" agreement.