Cyberattack on Mideast energy firms was among most destructive, Panetta says

[CountDeMoney]

Cyberattack on Mideast energy firms was among most destructive, Panetta says

A computer virus that wiped crucial business data from tens of thousands of computers at Middle Eastern energy companies over the summer marked the most destructive cyberattack on the private sector to date, Defense Secretary Leon E. Panetta said Thursday night in a major speech intended to warn of the growing perils in cyberspace.

Panetta did not say who was believed to be behind the so-called Shamoon virus. But he said the malware, which rendered permanently inoperable more than 30,000 computers at the Saudi Arabian state oil company Aramco and did similar damage to the systems of Ras Gas in Qatar, represented a "significant escalation of the cyberthreat."

Such attacks have "renewed concerns about still more destructive scenarios that could unfold" against the United States, he said in an address to business executives in New York. He asked them to "imagine the impact an attack like this would have on your company."

Panetta's remarks on the Middle East incidents were the first from any administration official acknowledging them. In the attack on Aramco, the virus replaced crucial system files with an image of a burning U.S. flag, he said. It also overwrote the files with "garbage" data, he said.

The Middle East cyber-incidents have prompted great concern inside national security agencies, with the military's Cyber Command adding personnel to monitor for the possibility of follow-on attacks. U.S. intelligence and Middle Eastern diplomats have said they believe Iran carried out those attacks in retaliation for a Western oil embargo against Tehran, but other experts have expressed skepticism.

"It's clear a number of state actors have grown their cyber-capabilities in recent years," said a senior defense official who was not authorized to speak for the record. "We're concerned about Russia and China, and we're concerned about growing Iranian capabilities as well."

Although there has been debate over the roles of various government agencies in cyberspace, Panetta made clear that it would be the Defense Department's responsibility to defend the nation in that realm.

Under new rules of engagement for cyberwarfare, he said, the Pentagon's role would extend to defending private-sector computers against a major attack. The conditions under which the rules would trigger a response are stringent, and must rise to the level of an "armed attack" that threatens significant physical destruction or loss of life, senior defense officials said.

Those cyber-rules, which represent the most comprehensive revision in seven years, are being finalized now, Panetta said. For the first time, military cyber-specialists would be able to immediately block malware outside the Pentagon's networks in an effort to defend the private sector against an imminent, significant physical attack, The Post has reported. At present, such action requires special permission from the president.

Panetta said that "foreign cyber-actors are probing America's critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants" and transportation systems. He said the government knows of "specific instances where intruders have successfully gained access to these control systems" and that the intruders are trying to create advanced tools to attack the systems to cause panic, destruction and death.

Panetta outlined destructive scenarios that worry U.S. officials: an aggressor nation or extremist group gaining control of critical switches in order to derail trains loaded with passengers or lethal chemicals; contamination of the water supply, or a shutdown of the power grid across large parts of the country.

The most destructive attack, he said, would be one launched against several critical systems at once in combination with a physical attack on the country.

"The collective result," he said, "could be a 'cyber-Pearl Harbor': an attack that would cause physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability."

Panetta also issued a warning to would-be attackers, saying the Pentagon is better able now to identify who is behind an attack. "Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests," he said.

The department has also developed the capability to conduct operations to counter threats to national security in cyberspace, he said, and would do so in accordance with international law.

Taking offensive action would be the role of the Cyber Command, launched in 2010. Panetta noted that the Pentagon is looking at ways to strengthen the organization, including streamlining its chain of command. A recommendation by senior military leaders to elevate it to full unified command status is under review, officials said.

Panetta, addressing the Business Executives for National Security, said cyber is now a major topic in nearly all his bilateral meetings with foreign counterparts, including in China a few weeks ago. China, which the United States has accused of being a top actor in cyber-economic espionage, is rapidly improving its capabilities, he said.

He reiterated the administration's call for legislation to establish routine cyber-information sharing between the public and private sectors, and to set security standards for companies.

"This is a pre-9/11 moment," Panetta said, in a somber reference to missed signs of the 2001 terrorist attacks on the United States. "The attackers are plotting." He appealed to Congress and the private sector to join the government in improving the nation's defenses to prevent a catastrophic cyber attack.

Congress may or may not get its act together, but you can forget the private sector.  No shareholder value in the expense, and there's no return on investment metrics until after it all comes crashing down.

[CountDeMoney]

More background on what it does.

Paul Wagenseil , SecurityNewsDaily
'Shamoon' spyware searches, then destroys

A nasty new piece of malware has been discovered in the Middle East targeting energy companies. Unlike Stuxnet, Duqu or Flame, which stalked the same ground, this one's purely, strangely destructive.

Dubbed "Shamoon" after a filename found in its code, the spyware infects all the computers in an internal network, then effectively erases them — but not before collecting the names of the files it's overwritten and sending them out to an unknown command-and-control server.

It may have already hit Saudi Aramco, Saudi Arabia's state-owned oil-production company, which said Wednesday that it had shut down its main computer systems after an unspecified malware intrusion.

Symantec said that the malware, which it calls "W32:Disttrack," had infected fewer than 50 machines worldwide.

Shamoon ("Simon" in Arabic) even goes so far as to overwrite an infected machine's master boot record, the first thing a computer looks for when it starts up.

"Why would someone wipe files in a targeted attack and make the machine unusable?" wondered one person in a posting Thursday on the official blog of the Israeli Internet-security firm Seculert.

But why?

It's possible that Shamoon is working as the "cleanup crew" with another piece of malware, and serves only to cover up the other malware's existence. But almost all malware, whether criminal or state-controlled, tries to fly under the radar and remain as unobtrusive as possible.

For example, Flame, the state-sponsored spyware discovered earlier this summer, was out "in the wild" for an estimated 5 years before malware researchers spotted it. That extremely long time is testimony to its sophistication.

Shamoon incorporates a feature called "Wiper," also a hallmark of Flame, which cleaned up after itself by erasing traces of its own activities.

However, Kaspersky Lab, one of the organizations that found Flame, says Shamoon's "Wiper" is completely different, and that Shamoon may be the work of amateurs.

"It is more likely that this is a copycat, the work of a script kiddies inspired by the [Flame] story," said the official Kaspersky blog.

Fly the (false) flag

There are tantalizing tidbits buried in the Shamoon code that might, or might not, provide clues to its author's identities, or at least nationalities.

The malware uses a snippet of a larger image to overwrite all the document, music, image and video files it can find. The image, which can be viewed on the Symantec website, looks like part of the American flag.

The feature that wipes the master boot record has links to a London data-security firm called EldoS.

Kaspersky said in its blog posting that EldoS' digital certificate was either stolen or forged to create Shamoon, which would imply a certain level of skill on the part of its authors.

However, Symantec's drier analysis of Shamoon noted that the boot-record wiper is a "clean disk driver" that "may be used for legitimate purposes."

In a blog posting Friday, Eugene Mayevski, chief technology officer of EldoS, angrily lashed out at Kaspersky's assertions that the certificate was stolen.

"Some not-identified script kiddies  have crafted a malware which wipes victim's disks. To do actual wiping they have used our driver, probably stolen from some of our clients' software," Mayevski wrote.

"Kaspersky Lab and several other wanna-be-specialists from other companies have made conclusions that those script kiddies managed to create the driver and sign it using 'stolen private cryptographic key of EldoS Corporation," he added. "That misleads people and takes [the] analysis in [the] wrong direction." 

[Neil]

This is the problem with cyberwar:  It's a war the West would lose.  At least they're just attacking other subhumans for now.

Still, private industry has brought this upon itself.

[The Brain]

Define oil company.

[Phillip V]

Increase the cyberdefense budget until we are safe.

[Razgovory]

I'm pleased that the term "Script Kiddie" has become mainstream.  We need to go full Singapore on these little fucks.  You create a virus, and get caught.  10 years in jail and a weekly caning.

[Neil]

I'm pleased that the term "Script Kiddie" has become mainstream.  We need to go full Singapore on these little fucks.  You create a virus, and get caught.  10 years in jail and a weekly caning.

Wrong.  The death penalty is the only just punishment.  And the US needs to take the viewpoint that a cyberattack is a weapon of mass destruction, and respond to Chinese hacks with atom bombs.

[Razgovory]

Raz is merciful.

[CountDeMoney]

U.S. Suspects Iran Was Behind a Wave of Cyberattacks

WASHINGTON — American intelligence officials are increasingly convinced that Iran was the origin of a serious wave of network attacks that crippled computers across the Saudi oil industry and breached financial institutions in the United States, episodes that contributed to a warning last week from Defense Secretary Leon E. Panetta that the United States was at risk of a "cyber-Pearl Harbor."

After Mr. Panetta's remarks on Thursday night, American officials described an emerging shadow war of attacks and counterattacks already under way between the United States and Iran in cyberspace.

Among American officials, suspicion has focused on the "cybercorps" that Iran's military created in 2011 — partly in response to American and Israeli cyberattacks on the Iranian nuclear enrichment plant at Natanz — though there is no hard evidence that the attacks were sanctioned by the Iranian government.

The attacks emanating from Iran have inflicted only modest damage. Iran's cyberwarfare capabilities are considerably weaker than those in China and Russia, which intelligence officials believe are the sources of a significant number of probes, thefts of intellectual property and attacks on American companies and government agencies.

The attack under closest scrutiny hit Saudi Aramco, the world's largest oil company, in August. Saudi Arabia is Iran's main rival in the region and is among the Arab states that have argued privately for the toughest actions against Iran. Aramco, the Saudi state oil company, has been bolstering supplies to customers who can no longer obtain oil from Iran because of Western sanctions.

The virus that hit Aramco is called Shamoon and spread through computers linked over a network to erase files on about 30,000 computers by overwriting them. Mr. Panetta, while not directly attributing the strike to Iran in his speech, called it "probably the most destructive attack that the private sector has seen to date."

Until the attack on Aramco, most of the cybersabotage coming out of Iran appeared to be what the industry calls "denial of service" attacks, relatively crude efforts to send a nearly endless stream of computer-generated requests aimed at overwhelming networks. But as one consultant to the United States government on the attacks put it several days ago: "What the Iranians want to do now is make it clear they can disrupt our economy, just as we are disrupting theirs. And they are quite serious about it."

The revelation that Iran may have been the source of the computer attacks was reported earlier by The Washington Post and The Associated Press.

The attacks on American financial institutions, which prevented some bank customers from gaining access to their accounts online but did not involve any theft of money, seemed to come from various spots around the world, and so their origins are not certain. There is some question about whether those attacks may have involved outside programming help, perhaps from Russia.

Mr. Panetta spoke only in broad terms, stating that Iran had "undertaken a concerted effort to use cyberspace to its advantage." Almost immediately, experts in cybersecurity rushed to fill in the blanks.

"His speech laid the dots alongside each other without connecting them," James A. Lewis, a senior fellow at the Center for Strategic and International Studies, wrote Friday in an essay for ForeignPolicy.com. "Iran has discovered a new way to harass much sooner than expected, and the United States is ill-prepared to deal with it."

Iran has a motive, to retaliate for both the American-led financial sanctions that have cut its oil exports nearly in half, and for the cybercampaign by the United States and Israel against Iran's nuclear enrichment complex at Natanz.

That campaign started in the Bush administration, when the United States and Israel first began experimenting with an entirely new generation of weapon: a cyberworm that could infiltrate another state's computers and then cause havoc on computer-controlled machinery. In this case, it resulted in the destruction of roughly a fifth of the nuclear centrifuges that Iran uses to enrich uranium, though the centrifuges were eventually replaced, and Iran's production capability has recovered.

Iran became aware of the attacks in the summer of 2010, when the computer worm escaped from the Natanz plant and was replicated across the globe. The computer industry soon named the escaped weapon Stuxnet.

Iran announced last year that it had begun its own military cyberunit, and Brig. Gen. Gholamreza Jalali, the head of Iran's Passive Defense Organization, said the Iranian military was prepared "to fight our enemies" in "cyberspace and Internet warfare." Little is known about how that group is organized, or where it has bought or developed its expertise.

The United States has never acknowledged its role in creating the Stuxnet virus, nor has it said anything about the huge covert program that created it, code-named Olympic Games, which was first revealed earlier this year by The New York Times. President Obama drastically expanded the program as a way to buy time for sanctions to affect Iran, and to stave off a military attack on the Iranian facilities by Israel, which he feared could quickly escalate into a broader war.

In advance of Mr. Panetta's speech in New York on Thursday, senior officials debated how much to talk about the United States's offensive capabilities, assessing whether such an acknowledgment could help create a deterrent for countries contemplating attacks on the country

But Mr. Panetta carefully avoided using the words "offense" or "offensive" in the context of American cyberwarfare, instead defining the Pentagon's capabilities as "action to defend the nation."

"We won't succeed in preventing a cyber attack through improved defenses alone," Mr. Panetta said. "If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president. For these kinds of scenarios, the department has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace."

The comments indicated that the United States might redefine defense in cyberspace as requiring the capacity to reach forward over computer networks if an attack was detected or anticipated, and take pre-emptive action. These same offensive measures also could be used in a punishing retaliation for a first-strike cyberattack on an American target, senior officials said.

One senior intelligence official described a debate inside the Obama administration over the pros and cons of openly admitting that the United States has deployed a new cyber weapon, and could use it in response to an attack, or pre-emptively.

For now, officials have decided to hold back. "The countries who need to know we have it already know," the senior intelligence official said.