Leaked Saudi emails reveal new victim of Iranian hackers

Documents published by WikiLeaks, sourced from the Saudi government, have revealed the country’s Ministry of Foreign Affairs (MOFA) as a victim of the series of attacks in 2014 collectively called Operation Cleaver.

Until the documents were published last week, the MOFA was an unknown victim of the attacks that were blamed on actors in Iran.

WikiLeaks published the Saudi documents last week, releasing 61,214 communications from various Saudi Embassies around the world. WikiLeaks says they have more than half-a-million cables and other documents set for release.

Most of the cables, emails, and documents are sourced from Saudi State institutions, including the Ministry of Interior, MOFA, and the Kingdom’s General Intelligence Services. One email however, dated 15 February 2015, is a security incident / after action report outlining the measures taken after it was determined the agency was a victim of Operation Cleaver.

Last December, security firm Cylance released a report on Operation Cleaver, which is said to have started in 2012.

Cylance noted in their report at the time that actors from Iran operated a global surveillance and infiltration campaign against government agencies and critical infrastructure firms in more than a dozen countries including, all of North America, China, England, France, Germany, India, Israel, Kuwait, Pakistan, Qatar, Saudi Arabia, South Korea, Turkey, and the UAE.

“The targets include military, oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, technology, education, aerospace, Defense Industrial Base (DIB), chemical companies, and governments,” the report explained.

The report flags Saudi Arabian oil and gas facilities, as well as airports as victims, but the MOFA was not referenced as a target. However, according to the leaked emails, they were in fact victimized by the alleged Iranian-campaign.

Brian Wallace, a security researcher on the Cylance SPEAR team, told Salted Hash the leaked incident report matches many of the the known flags for an Operation Cleaver compromise.

The details regarding the TinyZBot malware and spear phishing campaign that targeted the ministry align with the details seen in other Operation Cleaver attacks in the Persian Gulf, Wallace said. In addition, the approximate timeline outlined by the incident report matches as well.

The Saudi email says the attack against the MOFA started in July of 2014, with a social engineering campaign against a system administrator via his LinkedIn profile. From there, the administrator was offered a job via email matching his skills and required to download résumé software.

While the administrator was submitting his résumé to the fake job website (created especially for this campaign), the system was infected by TinyZBot, which led to credential compromise.

The actors then used the compromised credentials to access the MOFA network via VPN. The résumé website was taken offline the day the Cylance report was published.

“The result of the incident investigation concluded that this was a targeted attack, which is part of an Iranian operation to compromise MOFA’s environment. The attack utilized social engineering techniques to steal system admin credentials and get access to the environment,” the leaked incident report concluded.

The incident report also notes a breakdown in defenses at the MOFA, including the fact that IDS deployments failed to detect the attack. In addition, it was determined that the MOFA had inadequate logging (their proxy logs only last seven days); there were firewall rules with various problems; and no real-time monitoring in the SOC at the time of the incident.

Moreover, the report complains about a lack of collaboration with the Saudi Ministry of Interior, as the incident was reported two months after the actual suspected period of attack. This, the report adds, affected the investigation as evidence might have been deleted, altered, or overwritten. Additionally, the lack of collaboration means the incident couldn’t be contained in a timely manor.

Prior to the incident report being filed, the MOFA was in discussions with Intel Security (McAfee) to get pricing on a number of security services, including those that would address the noted gaps in the ministry defenses.

There were no other documents tied to this incident report, so the final status of the incident remains unknown. The report also lists several recovery steps and precautions taken to prevent a repeat incident, but it isn’t clear if all of them were accomplished.