Search This Blog

Showing posts with label Saudi Arabia. Show all posts

Analysis of Industrial Control System Security

We are presently experiencing IT/OT convergence, which will reveal new hurdles for both IT and OT divisions to overcome. Site engineers have traditionally overseen operational technology with an emphasis on reliability and stability. However, as OT systems become more integrated, these two worlds must start functioning as a single entity. The panorama of industrial cyber risks changed in 2010. Since Stuxnet targeted crucial supervisory control and data acquisition (SCADA) systems, which immediately gained attention on a global scale. 

Humans can operate and manage an industrial facility utilizing computer systems employing OT, which consists of programmable logic controllers (PLCs), intelligent electronic devices (IEDs), human-machine interfaces (HMIs), and remote terminal units (RTUs). These systems are linked to sensors and devices on the site, which could be a factory or a power plant. 

Industrial control systems are a common name for this set of process control equipment (ICSs). These technologies allow hackers to act based on what they see on the screen, in addition to providing information to them. Operational technologies have always been created with safety and availability in mind, but with relatively minimal care for cyber security. This is a significant contrast between OT and IT. 

Stuxnet: What is it? 

As per reports, Stuxnet influenced countless rotators at Iran's Natanz uranium advancement office to wear out. Afterward, different gatherings modified the infection to explicitly target foundations like gas lines, power stations, and water treatment offices. It is assessed that the US and Israel cooperated to make the malware. 

Industrial facilities have possibly "air-gapped," demonstrating that there is no connection between the organization inside the office and the organizations outside. This postures one of the obstructions in arriving at these regulators. A portion of the world's richer countries has figured out how to get around this countermeasure, regardless. 

 Iran benefited from the assault 

"The attack by Stuxnet opened the world's eyes to the idea that you can now design cyber weapons that can harm real-life target" said Mohammad Al Kayed, director of cyber defense at Black Mountain Cybersecurity. You could gain access to a nation's whole infrastructure and, for instance, turn off the electricity. In just this manner, Russia has twice attacked Ukraine.

Iran gained from the hack that the appropriate tool stash can likely be utilized to target ICS. It likewise noticed the power of those assaults. Somewhere in the range of 2012 and 2018, specialists saw an ascent in cyberattacks against Saudi Arabian modern offices as well as those of different nations nearby. 

"A virus program called Shamoon was one example. Three distinct waves of the virus have struck Saudi Arabian industrial facilities. The original version affected a few other businesses and Saudi Aramco. In a few years, two new variants were released. All of them exploited Saudi Arabian petrochemical firms and the oil and gas sector" stated Al Kayed. Saudi Arabia was a target since it has numerous manufacturing plants and sizable oil production operations. It is Iran's rival in the area and a political superpower. 

Connecting OT and IT invites vulnerability

When ICS is connected to an IT network, hacks on those systems are even simpler. By exploiting the IT network first, malicious actors can remotely attack OT assets. All they need to do is send an expert or employee who isn't paying attention to a phishing email. When industrial control systems are connected to an IT network, attacks on those systems are even easier. 

Al Kayed proceeds, "Anybody can bounce into designing workstations and other PC frameworks inside a modern site. Now that they understand how one can remotely put the malware on such modern control frameworks. Although they don't at first need to think twice about designing workstations at the office, there is a method for doing so because it is connected to the corporate organization, which is in this manner connected to the web. You can move between gadgets until you show up at the ideal design workstation in the petrochemical complicated or the power plant. "

Saudi government takes measures 

The targeted nation can acquire the necessary skills, possibly repair the weapon used against it, and then go after another target. Saudi Arabia, which has numerous manufacturing plants, is the nation in the area with the main threat on its front. Therefore it makes sense that the Iranians exploited what they had learned to strike its strongest rival in the region. 

However, the Saudi government is acting to stop similar attacks from occurring again. The National Cyber Security Authority (NCA) created a collection of legislation known as the Essential Cybersecurity Controls (ECC), which are required cyber security controls, to stop the attack type mentioned above. One of the only nations in the area having a security program that goes beyond IT systems is Saudi Arabia right now. It has also taken into account the dangers to OT infrastructure. 

Guidelines for ICS security 

The protection of industrial control systems is currently a global priority. A thorough set of recommendations for defending industrial technology against cyber security risks was released in 2015 by the US National Institute for Standards and Technology (NIST). Four important lessons can be learned from the attack on Iran and the ensuing attacks on Saudi Arabia:

  • The first step is to separate OT from IT networks. 
  • Utilize an industrial intrusion detection and prevention system and anti-malware software. 
  • The main targets of attacks on OT networks are HMIs and PLCs. Use specialized technologies, such as data diodes, which accomplish what a network firewall accomplishes logically but in a physical way.
  • Monitoring is a crucial step: "Security monitoring" is a frequent IT practice. But not many OT facilities do that currently.

USD 50 Million Ransom Demanded from Saudi Aramco Over Leaked Data

 

Saudi Arabia's state oil firm admitted on Wednesday that data from the corporation was leaked and that the files are now being used in a cyber-extortion effort including a USD 50 million ransom demand. The data was presumably leaked by one of the company's contractors. Saudi Aramco, the Saudi Arabian Oil Co., notified The Associated Press that it "recently became aware of the indirect release of a limited amount of company data which was held by third-party contractors."

Saudi Aramco is a public Saudi Arabian oil and gas enterprise headquartered in Dhahran. It is expected to be one of the world's most profitable corporations as of 2020. Saudi Aramco has the world's second-biggest proven crude oil reserves, with about 270 billion barrels (43 billion cubic metres), as well as the world's greatest daily oil production. 

The Master Gas System, operated by Saudi Aramco, is the world's biggest single hydrocarbon network. It handles about one hundred oil and gas fields in Saudi Arabia, including 288.4 trillion standard cubic feet (scf) of natural gas reserves, and its crude oil production totaled 3.4 billion barrels (540 million cubic metres) in 2013. The Ghawar Field, the world's largest onshore oil field, and the Safaniya Field, the world's largest offshore oil field, are both operated by Saudi Aramco. 

The oil company did not specify which contractor was affected, nor did it clarify whether the contractor was hacked or if the information was released in some other way. "We confirm that the release of data was not due to a breach of our systems, has no impact on our operations and the company continues to maintain a robust cybersecurity posture," Aramco said. 

The AP found a page on the darknet, a section of the internet kept behind an encrypted network and accessible only through specific anonymity-providing tools, that claimed the extortionist had 1 terabyte of Aramco data. The page offered Aramco the chance to have the data destroyed for USD 50 million in cryptocurrency, with a countdown counting down from USD 5 million, most likely to put pressure on the corporation. It's still unknown who's behind the ransom plot. 

Aramco has previously been the victim of cyber-attacks. The so-called Shamoon computer virus, which destroyed hard drives and then flashed a picture of a burning American flag on computer displays, affected the oil behemoth in 2012. Aramco was compelled to shut down its network and destroy over 30,000 machines as a result of the attack. Later, US officials blamed the strike on Iran, whose nuclear enrichment programme had just been targeted by the Stuxnet virus, which was most likely created by the US and Israel.

Attack against Saudi Aramco Damages the World's Biggest Oil Producer



With the Saudi government and U.S. intelligence authorities accusing Iran, and Iran accusing the Yemeni rebels, the most recent attack against Saudi Aramco has damaged the world's biggest oil producer and deferred oil production, roiling oil and gas markets.

As of late, Iran has indeed deployed dangerous computer viruses against Saudi Arabia and these attacks have now marked a somewhat "real-world" continuation of this long-stewing cyber war between the two nations, by and by overflowed into other global powers.

Nicholas Hayden, the global head of threat intelligence for cyber intelligence company Anomali, who has served as a cyber-security operator in the electrical sector says that, “There hasn’t been a discernible increase in cyber-attack activity in the region yet but while nothing is standing out right now in the region, there’s a good chance that there are nation-state actors involved, ”

Iran has been notably known for increasing cyber-attacks when it clashes with nations, and that can likewise mean collateral damage in other companies  as well not simply Saudi-owned working together in the area.

“We’re certainly paying more attention than we normally would to that area. When stuff like this happens, we tend to put our ear a little bit closer to the ground.” Says Hayden.

Since, collateral damage is a common symptom of regional cyber conflict, organizations working in Saudi Arabia and beyond ought to likewise be alert for any changes that might hit the region.

The majority of the experts surveyed by CNBC conceded to one end solution, that in spite of the 'economic odds' stacked against them, Iran has turned out to be one of the world's most noteworthy cyber security powers.

John Hultquist, director of intelligence analysis for cyber security company FireEye, included later that, they’ve never been the most technically sophisticated. But they have made up in their brazenness, their willingness to destroy and disrupt. They have really separated themselves on this from others, as if they have nothing to lose.”

Regardless of all this Saudi Aramco yet again declined to comment for the issue when approached.

Saudi Arabia behind Jeff Bezos' phone hack




The investigators of Amazon chief’s release of intimate images believes that Saudi Arabian authorities were behind it.

According to the security officer of Amazon boss Jeff Bezos 
the Saudi Arabian authorities hacked into his phone, and obtained private data from it. 

Gavin De Becker, a longtime security consultant, launched the investigation after the National Enquirer published intimate texts between Bezos and his mistress, a television anchor Lauren Sanchez.

Last month, Bezos accused the newspaper’s owner of trying to blackmail him with the threat of publishing 'intimate photos' he allegedly sent to Sanchez unless he said in public that the tabloid’s reporting on him was not politically motivated.

"Our investigators and several experts concluded with high confidence that the Saudis had access to Bezos' phone, and gained private information," de Becker wrote on The Daily Beast website.

Last month,  the incident came into light when Mr Bezos acccused the owner of the tabloid of threatening him to publishing the ”intimate photos" that he allegedly sent to Ms Sanchez unless he did not publicly state that the tabloid's coverage of him was not politically motivated.




Espionage Group Aka Apt33 Targeting Various Organization in Saudi Arabia and US by Deploying A Variety of Malware In Their Network




An unceasing surveillance group otherwise known as APT33 group (Elfin) known for explicitly targeting on corporate networks has now set its sights by focusing on various organizations in Saudi Arabia and US by sending an assortment of malware in their system.

The hacker group which has reportedly compromised around 50 organizations in various countries since 2015, so far its attackers have bargained a wide range of targets including, governments alongside associations in the research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors.

The cybercriminals scan the defenseless sites of a particular target and later use it for either command and control server or malware attacks if the site will be undermined effectively.

In spite of the fact that the gathering fundamentally focused on Saudi Arabia, with the 42% of attacks since 2016 and it’s compromised 18 organizations in the U.S alone in the course of recent years.

 In any case, for this situation, Elfin focused on organization including engineering, chemical, research, energy consultancy, finance, IT, and healthcare sectors in the U.S alone.





Amid the attack, Elfin is said to have used an assortment of open source hacking instruments, custom malware, and commodity malware to compromise the diverse targets.

Elfin Adept utilizes various openly accessible hacking instruments, including:
  • LaZagne (SecurityRisk.LaZagne): A login/password retrieval tool
  • Mimikatz (Hacktool.Mimikatz): Tool designed to steal credentials
  • Gpppassword: Tool used to obtain and decrypt Group Policy Preferences (GPP) passwords
  • SniffPass (SniffPass): Tool designed to steal passwords by sniffing network traffic


Additionally, numerous commodity malware tools were utilized for these attacks and the malware accessible for purchase on the digital underground including:
  • DarkComet (Backdoor.Breut)
  • Quasar RAT (Trojan.Quasar)
  • NanoCore (Trojan.Nancrat)
  • Pupy RAT (Backdoor.Patpoopy)
  • NetWeird (Trojan.Netweird.B)

Other than these, the custom malware family incorporates Notestuk (Backdoor.Notestuk), a malware in order to access the backdoor and assembling the data, Stonedrill (Trojan.Stonedrill), a custom malware equipped for opening a secondary passage on an infected PC and downloading the additional records.

Google refuses to delete "Absher" that allows men to track women





Google has refused to remove a Saudi Arabia government app "Absher" that allows men to track and control women's movements.

After reviewing the app, the company said that the software does not violate any of its agreement, and terms and conditions.

The tech giant has conveyed their decisions to the office of Representative Jackie Speier, a California Democrat who, with other 13 colleagues in Congress, demanded the removal of the app from the Google Play store.

The app allows men guardians of the women to a state where their dependents can go, for how long and which airports they can visit.

If a woman leaves a certain area, then immediately an alert is triggered to their male guardians.

The app has been criticized for its oppressive nature. It was initially designed for  Saudi citizens to access e-government services, but it also allows men to track their female dependents and migrant workers, in order to track their movements and restrict their free passage through passport data.

The app is available on both Google Play Store and Apple App Store.

However, Apple says it is still reviewing Absher.