Cyber Conflict in the Middle East – Round One

State of (Cyber)War Episode 5

In the latest of our series of discussions on CyAN’s YouTube channel “State of (Cyber)War” playlist about cyber conflict and -capabilities, Hugo Tarrida and John Salomon talk about the background and current state of cyber conflict in the Middle East.

We give an overview of some of the major state actors involved, and zero in on the structures, groups, and motivations of the two main regional adversaries – Iran and Israel.

Due to the volume of notes and supporting material, we’ve had to list it here instead. Check out the video at https://youtu.be/X3wkTszRlck or watch it here:

Notes and links:

Hugo Tarrida on LinkedIn
John Salomon on LinkedIn

02:50 A History of the Israeli-Palestinian Conflict – Mark Tessler, Indiana University Press https://iupress.org/9780253220707/a-history-of-the-israeli-palestinian-conflict-second-edition/

06:05 Stuxnet https://en.wikipedia.org/wiki/Stuxnet – IEEE Spectrum (https://spectrum.ieee.org/the-real-story-of-stuxnet) and Wired (https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/) have two among several good and detailed writeups of the attack

08:45 State of (Cyber)War #4 – “China’s Increasingly Muscular Cyberwarfare Capability”, https://www.youtube.com/watch?v=HLVPDojARh0
10:43 E.g. “The Foundations of Geopolitics” by Aleksandr Dugin, https://en.wikipedia.org/wiki/Foundations_of_Geopolitics – we know we bring this up a lot….
12:45 Anyone who works in cybersecurity, particularly having to do with startups, will be familiar with the plethora of companies at least claiming some sort of origin in IDF Unit 8200 – https://www.idf.il/en/mini-sites/directorates/military-intelligence-directorate/military-intelligence-directorate/

14:00 In all honesty, we did a lot of wikipedia reading before this, e.g. https://en.wikipedia.org/wiki/Cyberwarfare_by_Iran

14:34 Not only have national cybersecurity agencies, such as the Saudi National Cybersecurity Authority (NCA) been taking this topic much more seriously in the form of activities such as preparedness exercises; various entities such as the GCC central banks have increased at least their willingness to discuss cooperation and cybersecurity information sharing across borders in the past 5 years.

15:25 Turkey and Israel have a history of economic and defence cooperation; despite significant tensions over the past few years, these have never fully gone away, not least due to many shared regional interests. For example: https://www.aljazeera.com/news/2022/10/27/israels-gantz-relaunches-defence-ties-with-turkey

15:40 https://old.reddit.com/r/syriancivilwar/ is a wonderful and never-ending source of confusion, with all the greatest hits.

17:32 Saudi Aramco cyberattacks: https://www.cfr.org/cyber-operations/compromise-saudi-aramco-and-rasgas (2012), and https://www.aljazeera.com/economy/2021/7/21/saudi-aramco-confirms-data-leak-after-reports-of-cyber-ransom (2021)

17:45 Such as the OilRig/APT34 group that has also been tied to major attacks on Saudi and Israeli targets: https://www.darkreading.com/cyberattacks-data-breaches/iran-apt34-uae-supply-chain-attack

18:00 For example the UAE Central Bank’s active involvement in cyber-preparedness exercises for their own particular financial sector: https://www.centralbank.ae/en/our-operations/risk-management/cyber-security-centre-of-excellence-1/cyber-wargames/

18:05 UAE involvement in Sudan civil war: https://adf-magazine.com/2024/01/uae-role-in-sudans-civil-war-draws-criticism/
18:07 ..for involvement in the Yemeni civil war, we’ll leave it as an exercise to the listener to find good sources. All the ones we could dig up on a quick search were either horribly out of date, biased, or very limited in scope.

20:26 Duqu (2011): https://www.trendmicro.com/vinfo/br/threat-encyclopedia/web-attack/90/duqu-uses-stuxnetlike-techniques-to-conduct-information-theft
20:29 DuquII (2019): https://www.infosecinstitute.com/resources/malware-analysis/duqu-2-0-the-most-sophisticated-malware-ever-seen/

21:10 Specifically, programmable logic controllers (PLC) running Siemens Step7, used in the Iranian Natanz nuclear research facility.

21:45 Operation Opera/Operation Babylon (1981): https://www.wilsoncenter.org/blog-post/israeli-raid-against-iraqi-reactor-40-years-later-new-insights-archives

22:54 The aforementioned OilRig group may be an example of this. Similarly, see the Iranian Cyber Army: https://en.wikipedia.org/wiki/Iranian_Cyber_Army

23:35 Numerous organizations, in fact – e.g. the Iralnian Revolutionary Guard Corps’ Cyber-Electronic Command (IRGC-CEC). The following website has some interesting information, although we cannot guarantee its impartiality or accuracy: https://www.unitedagainstnucleariran.com/iranian-cyber-threat-structure

23:50 Specifically, the Israel National Cyber Directorate (INCD), under whose aegis falls the national CERT and its various subdivisions: https://www.gov.il/en/departments/israel_national_cyber_directorate/govil-landing-page

25:44 Again, OilRig / Helix Kitten / APT34 is only one of many groups involved in attacks directed specifically at Israel. The recent war in Gaza has also caused a dramatic rise in attacks from Hezbollah and related actors – again, at the very least, affiliated with Iran, but due to the nature of tensions in the region, these are very far from the only groups involved.

26:11 https://il-cert.org.il/ – a member of https://first.org. Unfortunately their website isn’t great, but the INCD’s website has more detailed info, including a walkthrough video with obligatory pew-pew maps: https://www.gov.il/en/departments/news/119en

26:26 Diginotar: https://slate.com/technology/2016/12/how-the-2011-hack-of-diginotar-changed-the-internets-infrastructure.html Notably, a friend of ours at the Dutch National Cybersecurity Center (NCSC-NL) had a shirt that read, “I took down Diginotar and all I got was this lousy t-shirt”…)

27:37 https://www.cyberlands.io/topsecuritybreachessaudiarabia for starters. Also interesting to see an islamic charity targeted: https://www.infosecurity-magazine.com/news/cyberattack-hits-islamic-charity/

27:57 https://www.bugcrowd.com/glossary/syrian-electronic-army/ – note “directly aligned with President Bashar al-Assad’s regime in Syria”. And being fully conscious of our own philosophical position on murderous autocrats, for a well researched (but obviously biased) piece on why that’s a bad thing, we strongly encourage you to jump down the rabbit hole of Robert Evans’ Behind the Bastards podcast, for example via his two-part overview of Bashar al-Assad: https://podcasts.apple.com/no/podcast/part-one-bashar-al-assad-the-eye-doctor-who-murdered-a-nation/id1373812661?i=1000439928999

28:25 Among others, the Charlie Hebdo attack in 2015 – https://en.wikipedia.org/wiki/Charlie_Hebdo_shooting as well as the much deadlier November 2015 attacks throughout Paris: https://en.wikipedia.org/wiki/November_2015_Paris_attacks not to mention other attacks in Barcelona, Brussels, and elsewhere across Europe and further afield

28:40 Check out “Encounter Battle: Engaging ISIL in Cyberspace” by Dr. Chris Bronk and Gregory S. Anderson: https://www.jstor.org/stable/26267403?seq=6

31:10 Quds Force is the IRGC’s unconventional warfare and military intelligence branch. CFR has an overview of the IRGC’s structure: https://www.cfr.org/backgrounder/irans-revolutionary-guards

31:18 Interestingly, Russia has helped Iran develop its cyber capabilities. WSJ article on the topic:
https://www.wsj.com/articles/russia-supplies-iran-with-cyber-weapons-as-military-cooperation-grows-b14b94cd

33:36 There are multiple instances related to Russian (not only) cyberattacks on power infrastructure. The specific example in question actually involved an attack on a local Russian power station: https://therecord.media/russian-alleged-hack-power-grid – Russian attacks on the US power grid have been more focused around scouting and preparing for potential cyberattacks, for example via the Pipedream malware: https://www.wired.com/story/pipedream-ics-malware/ This is part of a wider set of Russian activities and capabilities targeting adversaries’ power systems, including the BlackEnergy malware used in Ukraine in 2015: https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01

33:03 E.g. https://mwi.westpoint.edu/russias-vast-cyber-web-enables-deniability-and-obscurity-but-not-without-risks/ – we weren’t able to find specific articles relevant to Iran, which is probably more the result of our not having the slightest idea of Farsi, combined with the lower level of attention paid to Iranian-related cyber news compared to Russia.

34:00 Interestingly, the American Enterprise Institute (center-right US think tank, YMMV) claims a letter (which a very brief Google search failed to turn up) signed by numerous Shia clerics calling for punishment of “cybercriminals”. What is included in their definition of cybercriminality is left as an exercise to the viewer: https://www.aei.org/articles/iran-prosecute-cybercriminals/

35:59 Remember that “cyber warfare” strictly speaking also includes C4I and other support and intelligence capabilities, not just 1377 h4x0rz

37:25 NPDO: https://www.iranwatch.org/iranian-entities/passive-defense-organization