With the Syrian conflict also being waged online, how vulnerable are governments, institutions and businesses in the Gulf?
As last month’s Geneva Two peace talks brought the Syrian conflict no closer to a resolution on the ground, another very real threat looms large on a more virtual horizon.
As negotiations stumbled in the Swiss city, American business magazine Forbes saw its website defaced, and the login credentials of a million users compromised.
The cyber attack was carried out by the Syrian Electronic Army (SEA), a group of hackers aligned with the Syrian regime. It was a reminder that the country’s bloody conflict, now entering its third year, is also a battle of hearts and minds, with the electronic brigade launching offensives against popular news and e-commerce websites to get their point across.
“They see themselves as the guard or the army of Syria in cyber space, and their aim is to protect Syria from internal and external enemies in the physical world,” says Tal Pavel, chief executive of Internet research centre Middleeasternet.
Within Syria, the SEA’s main enemy is the opposition, whose website has been defaced on a number of occasions. Outside the country, Pavel says Arab governments, as well as those in Turkey, Israel and the west, are all targets.
The SEA’s contention with Gulf states such as Saudi Arabia stems from their support for rebels fighting to overthrow the Syrian regime.
The SEA’s most visible attack so far, which had an immediate impact on the physical world, was its infamous hacking of the Twitter handle belonging to the Associated Press last April. A post informing Twitter users that there had been two explosions in the White House and that US president Barack Obama had been injured was planted by the SEA.
The immediate aftermath of the tweet was felt on the Dow Jones index, which dropped 150 points, erasing $136 billion in equity market value, according to Bloomberg News’ Nikolaj Gammeltoft.
The attack appeared to be part of a targeted effort to infiltrate western media outlets, such as the Washington Post, New York Times, Agence France-Press, 60 Minutes, CBS News, National Public Radio, Al Jazeera English and the BBC, all of which have been hacked by the SEA in the past. Pavel says such attacks are part of ongoing psychological warfare.
“If I have the ability to breach the same news sources, I’m waiting until the right time, for perhaps something related to the Geneva peace talks. I may have the ability to gain access to all kinds of social media accounts of AP, Forbes etc and I inject the same false news on all of them. You will be revealed after few minutes or half an hour that it is fake but until then I can create damage and this is purely psychological warfare,” he says.
Gulf countries have in the past been victim to cyber attacks, for example on critical industry and energy giants such Saudi Aramco. In the attack against the Saudi state oil company, widely speculated by US intelligence to have had an Iranian hand, three quarters of data on its corporate computers were wiped out, reported the New York Times.
So far, the attacks by the SEA have largely been limited to targeting social media accounts as well as website defacements. However, Igancio Paredes, research and studies head at the Madrid-based Industrial Cybersecurity Centre, believes it is only a matter of time before these attacks start targeting critical infrastructure in the Middle East.
“In my opinion, they [SEA] have the potential to perform much more threatening attacks. Nowadays, industrial organisations have a high degree of automation in their critical processes – nearly every industrial control network has some kind of connection to other corporate networks or even the Internet.
“These facts, combined with a traditional lack of awareness about cyber security on the operations technology side, creates a very vulnerable environment that could lead to very high impact incidents,” he says.
“This way the attackers, instead of changing the banner of a website or making impolite tweets, could, for instance, access the management interface of a safety valve, a turbine, a floodgate or even a nuclear reactor. You can imagine what kind of impact this would cause.”
Some cyber security experts such as German information security firm Help AG technology services director Nicolai Solling believe the SEA lacks the sophistication to carry out a large scale industrial attack.
“In all honesty, the Syrian Electronic Army still remains very politically motivated and so the main threat that they pose to organisations is reputation damage. While it would be impossible to comment on their capabilities, we can say that from what has been carried out so far, their attacks are relatively unsophisticated,” he says.
“Although defacements, which have been one of their primary forms of attack, do not have a direct impact on productivity, they can still cause damage to an organisation’s reputation. This can in turn lead to loss of business when the organisation in question is one where IT security is of prime importance.”
The SEA has stated on its website that its operations are run by a group of young Syrians displeased with the coverage their country receives in the international media. It is believed to have direct links with the Syrian regime, with research by the Information Warfare Monitor (IWM), which has since closed, finding that it is connected to the Syrian Computer Society, which was headed by Syrian president Bashar al Assad in the nineties.
Some experts are, however, unconvinced that the group of hackers are small, unsophisticated or even Syrian.
“You have companies that provide fraud as a service, attack as a service,” says Arun Aravindan, Bahrain-based chief executive of cyber security consultancy Elite Technologies Middle East.
“If someone doesn’t like a certain e-commerce website, they can pay someone to attack it for them. It’s not difficult to get someone to get this going. For all you know, the SEA may be hiring people from elsewhere.”
Pavel says attributing attacks and their sources is difficult in cyber space.
“Sometimes you can neither identify the attacker nor the attack. You cannot know if it’s a cyber attack or a system malfunction. Currently, as we know from all kinds of news and media sources, the question of who is behind this initiative is not so clear. If some research declares that this is some kind of a cyber project of the Syrian regime, or even the Iranian regime, I would not be very surprised.”
Meanwhile, the SEA continues its virtual battle, for instance by determinedly creating new Facebook pages (more than 200 at last count) every time an old one is taken down for violating the social media website’s policy. Phishing attacks and using ‘social engineering’ – psychological manipulation of people into giving confidential information over the internet – are other strategies.
Reputational damage aside, governments and organisations in the Middle East are increasingly worried about data loss, theft or even manipulation, says Solling.
“Data manipulation is something we are seeing more of and it has a devastating impact on productivity. Here, the hackers, after gaining access to the company’s data store, change important information with the intention of disrupting critical operational processes,” he explains.
Help AG says clients are increasingly consulting them over the threat posed by Syria’s virtual army.
“We serve a number of government entities in the region and defacement is a very serious concern for them. That’s because there is an extremely large number of attack vectors for a website, each of which could potentially be exploited to carry out defacement,” says Solling, who adds that cyber security is not foolproof.
“There is no silver bullet,” he notes, pointing out that factors such as employee behaviour and internal data leaks could also expose vulnerabilities.
The other cause of concern for firms in the region, when it comes to enforcing protection against virtual armies, is the cost.
“The investment you’re making in security also has to be in line with what you’re losing when your site is down from a distributed denial of server (DDOS) attack,” says Aravindan.
“Defacement yes, but you can bring it up in an hour. A lot of the loss is reputational. I may get a lot of bad press, but I can live with that. But do I spend a few million dollars in protecting myself when I’m not sure if I can really protect myself?”