Iranian hackers infiltrated Qatar’s government networks, airlines and oil and gas firms as part of a two-year campaign targeting critical infrastructure around the world, according to a new report by a US cybersecurity firm.
While Cylance did not name specific victims, Reuters reported that Qatar Airways was among the targets of “Operation Cleaver.”
The attacks centered on the military, aviation, energy and transportation sectors, among others, in 16 countries that included fellow Gulf states Kuwait, Saudi Arabia and the UAE, according to the report.
Backing up previous remarks from US officials, Cylance also blamed Iran for a 2012 attack that took down the corporate computer systems and website of Qatar’s RasGas and Saudi oil giant Aramco.
The US firm warned that the impact of Iran’s campaign could go beyond network downtime and cause real-world damage.
“As Iran’s cyber warfare capabilities continue to morph, the probability of an attack that could impact the physical world at a national or global level is rapidly increasing,” Cylance stated.
“Iran is no longer content to retaliate against the US and Israel alone. They have bigger intentions: to position themselves to impact critical infrastructure globally.”
While Cylance didn’t provide specific local examples, previous reports said an attack on local utility Kahramaa, for example, could disrupt the country’s supply of drinking water.
For its part, a representative of the Iranian government denounced the report.
“This is a baseless and unfounded allegation fabricated to tarnish the Iranian government image, particularly aimed at hampering current nuclear talks,” said Hamid Babaei, a spokesman for Iran’s mission to the United Nations, told Reuters.
Shielding Qatar
Cylance doesn’t say why Iran is focused on specific targets in certain countries, except to speculate that the attacks may be an attempt to gain negotiating leverage in its ongoing discussions surrounding the end of its nuclear program.
Relations between Iran and Qatar appear to be relatively cordial on the surface. However, Qatar’s former foreign minister, Hamad bin Jassim Al Thani, described the relationship in late 2009 as one in which “they lie to us, and we lie to them” in a conversation with US officials, minutes of which were obtained by WikiLeaks.
Iran and Qatar back opposing forces in Syria, where Doha has been vocal in calling for the removal of Syrian President Bashar al-Assad, who is backed by Tehran.
Qatar’s support for fighters seeking to overthrow al-Assad were cited as justification by the Syrian Electronic Army for several cyber attacks in recent years, including taking control of Qatar’s .QA domain name in October 2013 and hacking Twitter and Facebook accounts belonging to Qatar Foundation in March 2013, among others.
Qatar’s government has said it is working with businesses and organizations around the country to better shield critical institutions.
In a speech last April, the Minister of Communication and Information Technology, Hessa Al Jaber, said ictQatar has developed a National Cyber Security Strategy to help fend off attacks. The main points include protecting the country’s critical infrastructure, applying international standards for limiting cyber security threats and encouraging the use of secure online services.
Additionally, Qatar adopted a new cybercrime law earlier this year that introduces new penalties for a range of digital offences such as hacking into government networks.
Thoughts?
Good to know Ooooooredoesn’t now has a good alibi for how poor their network performance is.
Vodafone also challenges them in this matter 🙂
so far i didnt see any Iranian ip attacking us .. mostly are Chinese
Which means that they are successful in their attack. A sophisticated APT doesn’t pop on the internet from their home domain IP and run a DDOS attack. This is the fundamental flaw in thinking that leads to these campaigns being successful and as the report details, to go on for years. As indicated in the report, the attacks are sourced from Chinese and American IPs, but with enough digging around one clearly sees that these are just ghosts for the back end operations. The other point to note is that this is not a DDOS attack, this is an intelligence gathering operation, so the “attacks” you may be expecting on the firewall and IDS are simply not going to be there. Rather this is going to look much like regular network activity from regular users across VPNs and on internal services and servers where real application accounts and users which have been compromised are being used to exfiltrate data across permissible ports and protocols. There needs to be a fundamental shift from pretending that we are able to stop attacks and prevent these activities to mitigation of what happens when they are, and they will always be, successful in penetrating the failed defense in depth architectures. Better to think that you are always compromised rather than feeling that you are being successful in thwarting attacks because your firewall log says you blocked X million vectors a day. All the APT, zero day, SIEM, IDS, Firewalls, etc. in the world is not going to stop these types of activities. It simply can’t detect it because it depends entirely on knowing exactly what to look for – meaning predefined signatures and predefined behaviors. To prevent these types of attacks from being successful is a whole different ball game, and one where the “good guys” are outnumbered, outgunned, outmatched, and outplayed time and again.
Wow! I’m so not in touch with the computer age! I went cross eyed reading that!
What I like with the Iranians is that when they are in trouble they rely on themselves. They do not call Mother America to defend them 🙂
Surely you’re not disparaging your Qatari hosts? 😉
Not only Qatar but the whole GCC and I’d say pretty much every Arab country. Even Israel with all the money and sophisticated weapons it has likes to call Mother America for big tasks. On the other hand, Iranians fight for themselves and never seek for anyone’s help
You kind of are forced to do that when practically everyone in the world is your enemy…
And few that worked at QF ever learned about this at the time.
Can’t they ask some of the Iranian-Qatari families here to talk to their buddies back home? I understand there are quite a few of them here.