While various pockets of the Middle East are constantly making headlines for terror threats, civil unrest and the persistent march of the Islamic State, there is a security threat that’s far more widespread, touching the majority of the region.
Experts are warning that the Middle East has become a hotbed for cybercrime. According to Cisco’s 2014 Annual Security Report, total global threats have reached their highest recorded level, increasing 14% from 2012 to last year. A sample of 30 of the world’s largest Fortune 500 companies generated visitor traffic to websites that host malware, with a sharp rise in malware attacks on the Middle East’s oil and gas sector.
The report also states that the Middle East and Africa region posts a strong adoption of smart devices, set to grow from 133 million this year to 598 million by 2018. In addition, current estimates value the Middle East Cyber Security sector at $25bn over the next 10 years.
However, that also means more complex security threats, and businesses across the region are at high risk, with 65% of employees not understanding the security risks of using personal devices in the workplace, Cisco’s recent Middle East ICT Security Study says. As a result, cyber-criminals are increasingly attacking Internet infrastructure, as opposed to individual computers or devices, which is why there has been a rise in password and credential theft, infiltrations, and breaching and stealing data.
Oil and Gas
Cyber attacks are increasingly becoming a cause for concern for oil and gas companies operating in the Middle East.
According to reports by Gulf News, Saudi Arabia’s national oil company Saudi Aramco was hit with a virus that infected roughly 30,000 of its machines in 2013. The report suggests that it took nearly two weeks for the company to recover, disrupting the world’s largest oil producer.
This is just one example of cyber attacks in the region, and the same malware, named Shamoon, was also used in an attack against Qatar’s RasGas, one of the largest liquefied natural gas producers, according to reports.
Several months after the attack, Saudi Aramco said the malware had tried to disrupt the company’s flow of oil and gas supplies to international markets and, by the company’s own estimates, resulting losses attributed to the attack were around $15 million.
Gulf news also reports that in October 2014 British defence and security firm BAE Systems released a military grade solution called IndustrialProtect, to safeguard industrial control systems.
BAE Systems rolled out the product globally in October, and early indicators were that the organisation expected to cash in on companies in the Arab Gulf, Australasia and North America, according to company executives.
Gulf News quoted James Clark, Director of Energy & Utilities from BAE Systems Applied Intelligence as saying that “the threat is very real”.
It’s widely believed that cyber attacks in the Middle East are a mix of hacktivism, which is hacking used as a form of protest to promote political ends, and state-sponsored attacks.
“We have economic war and information technology is one of the weapons,” Vincent Lavergne, Director, Field System Engineering for South Europe, Middle East and Africa, at F5, a company that provides data protection services to multinationals, told Gulf News.
Lavergne also said that one of the key issues oil and gas companies around the world are affected by is the fact that they primarily react to attacks – instead of being proactive. He said that companies can often be wary of high expenditure when it comes to risk mitigation.
However, it’s not just companies based inside the Middle East that are at risk. Early in December 2014, The New York Times ran an article based on a report by Californian security firm Cylance which stated that Iranian hackers had been identified as the source of coordinated attacks against more than 50 targets in 16 countries – many of which were corporate and government entities that manage critical energy, transportation and medical services.
Cylance’s report opens with a clear statement, saying, “Since at least 2012, Iranian actors have directly attacked, established persistence in, and extracted highly sensitive materials from the networks of government agencies and major critical infrastructure companies in the following countries: Canada, China, England, France, Germany, India, Israel, Kuwait, Mexico, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, United Arab Emirates, and the United States.”
Cylance titled this series of attacks as ‘Operation Cleaver’ as the word cleaver frequently appeared in the attackers’ malicious code.
The New York Times article was able to independently corroborate the firm’s findings with another security firm, Crowdstrike. According to the New York Times, Crowdstrike had been tracking the same group of Iranian hackers for the past nine months under a different alias.
The 86-page Cylance report directly identifies only one of Cleaver’s victims — a Navy-Marine Corps network in San Diego that connects sailors, Marines and civilians across the United States. However, it states that other victims in the United States included a major airline, a medical university, an energy company that specialises in natural gas production, an automobile manufacturer, a major military installation and a large military contractor.
The report also zones in on what it calls the “most bone-chilling evidence” – attacks on transportation networks, including airlines and airports in South Korea, Saudi Arabia and Pakistan. Researchers claim that they had found evidence that hackers had gained complete remote access to airport gates and security control systems, “potentially allowing them to spoof gate credentials”.
The New York Times coverage of this group concludes by highlighting that Iranian hackers are also believed to have been behind a series of denial-of-service attacks at American banks that have intermittently taken their banking sites offline.
You can read the full report on Operation Cleaver here – http://www.cylance.com/assets/Cleaver/Cylance_Operation_Cleaver_Report.pdf
Let’s talk about it
The region is not burying its head in the sand when it comes to the treat of cyber crime. On the contrary, the Middle East is leading the charge against cybercrime with a spate of dedicated events and investment aimed at generating discussion at the highest level on the best way to approach the issue.
Cyber Defence and Network Security UAE (CDANS) was held from 8 to 10 December 2014. The summit focussed on the increasing move towards the inclusion of big data analytics and cyber forensics in government cyber security in the UAE. The site for the event states that although “previously considered by some as the preserve of finance and manufacturing sectors, UAE security agencies and government organisations are moving beyond traditional purchases of cyber security software and systems towards analytical preventative and predictive measures as well as rapid response to create a holistic defence and preparedness programme”.
The event ties in with the UAE government’s doubling of cyber security spending to over $10Bn USD over the next five years and its goal of ensuring all services are e-enabled by 2015.
December 2014 also saw the Cyber Security Summit 2014 in Qatar. Endorsed by the Qatar Ministry of Defence, this event was billed as “the essential & confidential cyber security summit for Qatar and the Middle East”. The website for this summit outlines the fact that Qatar’s “growing international profile promoting greater awareness of the country’s wealth” has recently led to the country being a more attractive target for cyber-attacks.
Consequently, the Qatari government is investing in a comprehensive infrastructure programme in preparation for the FIFA World Cup in 2022 and security and fraud prevention measures are expected to figure strongly. In addition, the site states that “Qatar has already implemented a National Shield Project and its IT network of their Ministries and Government bodies will be completely secured by 2016 … Qatar now wishes to lead the way in developing and employing cyber protection and assert itself as a model for Cyber Security”.
Bahrain also held an event to address growing concerns about cyber security threats in October 2014. The Annual Cyber Security Summit was organised by business consultancy Roshcomm in partnership with Boeing International and Websense, under the patronage of Central Informatics Organisation information systems director general Shaikh Salman bin Mohammed Al Khalifa. This event featured workshops, master classes and presentations on the challenges posed by global cyber security threats as well as a ‘hacking challenge game’ or ‘hackathon’ to prove some of the concepts that were debated.
What does the law say?
There are currently cyber crime laws at varying levels in several Middle East jurisdictions.
Late in 2012, the UAE updated its existing cyber crime law with a number of enhancements that addressed loopholes and corroborated that many ‘real world’ offences would also be criminal acts if they occurred electronically. As a result, the cyber crime legislation in the UAE is one of the most comprehensive in the region.
Of particular relevance to UAE-based companies is the new protection afforded to some personal information online. UAE law criminalises the disclosure of certain electronically stored information – including credit card and bank account details and electronic payment methods.
However, it remains to be seen how this law will be enforced in practice. In addition, while the criminalisation of such activities means that offenders could face prosecution, an affected business would still have to bring a civil action to recover any losses.
Elsewhere in the GCC, Bahrain and Qatar have draft laws on computer crimes under consideration while Saudi Arabia and Oman have cyber crimes legislation in place.