Cyber Cold War by Proxy: Saudi vs. Iran

now our next speaker disclosing speaker is Chris kubecka I mentioned her in the opening but I have to mention it again she is a very very unique very special individual I first met her at the DEFCON hacking conference where we both attended a dinner with Congress people who came to DEFCON and the Congress people were as confused as we were and the entire situation but it was just one example of how the hacker community connects outside the boundaries which is what we had besides Tel Aviv are all about so Chris go Becca this unique speaker there's so many interesting facts to say about her where should we start I first met her DEFCON I mentioned

this oh she's one of the first people to get married at DEFCON yes that's a that's a thing you don't just go to Vegas to get married you go to a hacking convention in Vegas to get married and that's what Chris Kubica did she is the CEO and founder of hyper sec where she offers incident management ethical hacking training services and advisory services to governments prior to hyper sec Chris headed the information protection group and international intelligence for Saudi Aramco I think they're the biggest oil company in the world after the 2012 Shamoon attack which wiped many of our uncle's computers she was the one whose job it was to reestablish international business operations and implement

digital security following this attack which deeply affected not just the company but the entire in a region the countries of Saudi Arabia Qatar in Bahrain and the entire oil production and supply chain really if you think about it Chris is a United States Air Force veteran United States Air Force is a very friendly force to the Israeli Air Force which is the friendliest force towards the IDF it was a joke in the beginning if you're still with me I hope you got it and she is also the author of several books on the subject of open source intelligence or Ostend Chris has so many interesting stories and amazing life experiences to share with us so I'm

just going to let her with herself because I don't think I could ever ever cover the incredible life and journey that Crisco Becca has had now do we have Chris live are we good to go all right Chris I am so so excited that you're with us Chris is going to join us remotely from Amsterdam and it's amazing that we can bring all of these fantastic speakers right here to Tel Aviv Chris thank you so much for being our closing speaker Chris go Becca this floor is yours it is so good to be here and thank you so much for inviting me for the closing keynote hopefully this will be interesting for you I'm going to

describe some fantastically wonderful not sometimes so wonderful adventures I've had involving at the new cyber cold war by proxy Saudi versus Iran so a little bit more about me thank you so much Karen as I do a lot of work within the critical infrastructure realm from oil and gas all the way to nuclear and my first career was an aviator in the US Air Force as a loadmaster my second career was with command and control systems for Space Command and the picture that you see on the side I unfortunately had a little bit too much time and technology at my fingertips at the age of 10 so I was busted hacking into the Department of Justice when I was allowed

to use a computer almost eight years later the US Air Force kindly uh molded me into the person I am today so we've been talking a lot about hackers today good hackers bad hackers and sometimes a nation-state hackers and we have to remember that the more things that we connect to the Internet as we move forward we're going to have a lot more entry and exit points that are exposed and almost every organization no matter how new and how much money they have they're going to have some sort of legacy equipment we have to deal with nation-states we also have to deal with what we call patriotic hackers that may or may not be funded by these

nation-states and whether we're talking about superpowers or countries that want to be superpowers at least of their region third parties leave us exposed we cannot operate in technological isolation and still the majority of companies and many governments don't take the risk of cyber security and major cyber incidents seriously so they don't prepare properly so there are a lot of actors that are in operation in the least right now some of them however aren't actually in the Middle East so we're looking at not so nice folks sometimes from China North Korea Russia the United States sometimes gets in the mix and it causes a very very interesting state of affairs when it comes to what goes on in the Middle East

so Saudi and Iran I quite like this graphic because we have no idea what round they're on but they keep fighting and Iran has certain reasons why they want to harm the Saudi Arabian economy and especially the oil markets if a barrel of oil is at a certain rate they actually make money because it costs them far much more money to actually produce a barrel of refined oil so one of my favorite quotes from a former CEO of Saudi Aramco is never underestimate how dependent you are on your information technology and systems it's become like oxygen you can't live without it you think you can live without it but you can't and here we all

are in this hybrid event without the technology that we love and is so near and dear to our hearts we could not be at this conference but think about all of the other things that run on various different types of networks and technology and we're talking about everyday things in your home - things like power being delivered to your home so in 2012 there was a very interesting will say attack against Saudi Aramco prior to the actual time bomb that went off there were two instances of domain administrators in Saudi Arabia at Saudi Aramco that were fished successfully and this gave them Kings to the kingdom so to speak now at the time Saudi Aramco

did have what they called a security operation center I would not call it that and some of the IT people from Houston saw that there was indicator of compromise that someone was on the network and they called them up over to Saudi Arabia and said hey you know um we're seeing a domain admin that's logged in to 250 different devices at the same time we're not security people but we think this is kind of strange unfortunately the manager at the time said we're going through an ISO certification you know we have auditors how dare you call me so then Europe started to get involved from the European headquarters and up until two days before the attack

occurred on the 15th of August contacted the same manager on his day off and said listen we are seeing very clear indicators of compromises and the manager by the way who was not the manager anymore said how dare you call me on my day off so there were some cultural issues between the various offices and also the fact that at the time Saudi Aramco truly did not think that they would ever be targeted unfortunately pastebin was found two hours before the attack there was a time bomb a logic bomb and things started to get wiped now they did try their best to protect the production but on their business Network they had pretty much no

real protection they had near zero visibility they did not encrypt internally so you could reset your domain password over a web interface that was only HTTP completely unencrypted so it was very easy for attackers to move throughout the network both with the domain admin credentials but also to sniff credentials now attackers aren't going to strike you when everybody's at work they're going to strike when they have an opportunity and what better opportunity then for example the holy month of Ramadan and on a holiday during the holy month of Ramadan and that's exactly what happened so there were less people who could see what was going on who could react to the attack and who could help out as quickly as possible

they had no incident management plan that involved a cybersecurity attack they did have safety incident plans on the production but that was it and they had previous to the attack decided to digitize everything which sounds like a great idea except if all of your contact lists are now on SharePoint and 85% of your Windows computer systems are wiped so when they went to call people they couldn't find lists so of course has caused a lot of chaos and they did the only thing that they could at the time and I believe it's the first time ever such a large company actually disconnected themselves from the Internet now that also involved disconnecting vendors from supporting their oil production platforms and

things that haven't been in the news is Saudi Aramco provided two-thirds of the mobile communications for the country and that was knocked out they also provided telecommunications services and Internet services for schools hospitals emergency services police and these particular services also were deeply affected because the line was cut now the picture that you see is actually kilometres and kilometres of petrol trucks that due to an industrial IOT system connected to their windows-based payment systems they could not actually fill any of these tanker trucks which meant that you could not get petrol if you drove to your local petrol station and a country only has a certain amount of strategic supply and obviously because of the geopolitics involved in

Saudi Arabia their strategic supply was reserved for military use this picture was actually taken 13 days after the initial attack by a Saudi journalist who unfortunately was never seen again one day after the attack Qatar's Raz gas was hit with a different variant the only difference between the two variants of Shamoon were that Saudi Aramco had a burning American flag as it was actually wiping so we've had several instances some hit the news and some have not soon after we recovered and implemented digital security there was a company decision that said we have to protect ourselves from getting our desktops and other things wiped so the company decided to purchase a solution called virtual desktop and this seemed like a a

magical thing except for the fact that the third-party vendor who I believe was Hitachi left a technician backdoor on all of the images and it was set to admin admin and the attackers could easily find this information because Hitachi had actually left the user manual up on their website and so the attackers use that information and started actually affecting the systems luckily it could be stopped but we've had several variants which have moved beyond just Saudi Aramco and have actually targeted and aimed against Saudi critical infrastructure so we're talking about electric we're talking about airports and in addition to that there have been numerous physical attacks both against critical infrastructure in Saudi Arabia and against Saudi Aramco we've had lovely

jubbly drones with bombs hopefully that's not what Intel is given away free as prizes and even rockets come out of the country of Yemen now there are lots of players in the Middle East and they can affect the world in different ways so when we take a look at Syria Syria is rather unique early on they had groups of what I would call patriotic hackers if not state-sponsored hacker groups and they openly allowed their networks to be used for cyber attacks against anyone they perceived as enemies now a few years ago a hacker group the Syrian electronic army was able to get into the Associated Press's Twitter account because at the time Twitter did not use

two-factor authentication they were actually late comers in the game unfortunately one thing that may not have hit the news after the tweet was sent that the White House had basically been bombed and the President of the United States was injured this affected worldwide markets the CERN electronic army also took over the Saudi Aramco Twitter account and started tweeting out harmful things to the oil market as well so sometimes as we've been seeing more and more there is a mix between digital attacks and physical attacks and in late 2014 there was one such attack that almost killed a lot of people and the city of The Hague in the Netherlands which is known as the city of peace where the

International Criminal Court is and a lot of other organizations like that I was attempting to have lunch which was a rarity because of my role and a large man in a very nicely tailored suit came to get me from our cafeteria and said I needed to be summoned immediately when I talked to my managing director he sent me directly to the Royal Saudi Arabian embassy of The Hague and what looked to be at first a very simple email hack turned into all of the embassies of the Hague's being threatened over 400 dignitaries lives being threatened a cyber terrorism and real-life terrorism group a nation-state because it's all about fun with you know nation-states nothing is crazier the nations stayed

crazy and several embassies had to put a disclaimer on their website about what was going on and when I first arrived there were a lot of problems the embassy did not use antivirus for example and it was the IT persons second day on the job with no handover whatsoever and they could not get a hold of the previous person so we started locking down things taking Network packet captures and so forth and I asked the IT person I go okay so we've got to start locking down your email because obviously your email has been hacked into because there's all these suspicious emails like send us 200 dollars via MoneyGram and will expedite your visa fee signed the secretary of

the embassy which did not happen and it turns out that the password still one of the most popular passwords in the world one two three four five six I'll let you think about that and please if you have anything that has one two three four five six please change this now so with the network packet capture one of the things that we found was there was a rootkit that was installed on the ambassador's secretaries of work station and we found that it was what we would call commercial off-the-shelf malware now what's interesting about this is in the news you hear about these advanced tools that nation-states use the problem is they're expensive to produce and once

you use them they're burned you can't really use them again and they're a bit more easy to attribute so why not for plausible deniability use and tweak some commercial off-the-shelf well this was the case and what we had what I also found with my investigations that although the perpetrator who was a insider to the embassy who had diplomatic immunity he thought that he was working for Isis he was unaware of the fact that actually his agent handlers were from Iran if you're into Star Trek Deep Space 9 there's actually a great episode where the Kardashians do the same type of thing but instead of digital weapons with physical weapons and we were having a very interesting

time because next door to my European offices we had a situation where the very nice house was bought with cash by the Yemeni government and we believe that the way that they got the money was actually from the country of Iran and this is how close they were to us so Ramco overseas not in the embassy district and right next door to us was the embassy of Yemen so I was having a meeting with my boss and I could look out the windows behind him and one day we see that we have surveillance drones that are surveilling just RIT floor and it turns out the drones pretty nice ones too I might add we're being flown by the Yemeni

government's embassy staff we also caught them digging into our backyard to try to get to our fiber network to surveil it and we caught several embassy employees inside our canteen and inside our building and a few verbal altercations between the two of us and this was all happening at one time so to give you a background there are several rebel groups in Yemen one in particular has said yes we're the ones who launched bomb-laden drones but we also have seen a technological shift from just drones with surveillance to drones with bombs they seem to love drones and one of the ways we believe that they got some of this technology and also how they were

taught how to use it was because they have been openly funded by the Iranian government in addition to that there have also been joined campaigns both with Iran and with North Korea with this rebel group so this was a very long incident and lasted almost two and a half months usually they don't last that long and in between I was called back to the embassy and it turns out that things had gotten worse and suddenly there were bigger extortion attempts it raised from a two hundred dollar extortion attempt to twenty five thousand an email was sent to several Middle Eastern countries in the country of Turkey signed by Isis and sent by the Embassy's official

back-channel email account now unfortunately although they are a great group when they're trying to be proactive the diplomatic corps did not speak to us into the embassy before they decided to act and what they did was they sent an email to all of the embassies in The Hague a warning saying hey we've gotten information that some of you embassies are getting extortion attempts by Isis to pay you $25,000 each and if you get this email please contact us and we'll try to help now they sent the email via CC not BCC and also put on that email the Saudi Arabian embassy unbeknownst to them the perpetrator was still inside the email so the perpetrators decided to

respond both to the diplomatic corps and to every single embassy in the hague and said hey guess what we now have your attention the price is going to go up and they started taunting all of the embassies in the diplomatic corps and started threatening this is actually a sanitized copy of the email it's always nice to know exactly who you are up against because they were just trying to save many lives signed Isis and also signed the Saudi embassy so in between this as I'm trying to figure out who the perpetrator is and to find proof since it was a long incident and I kind of like beer I used to stop by my local pub and my my good

friend the bartender an owner before I stepped into the building said you've got three people that have been waiting at the bar for you for hours just sipping tea and I happen to be with one of my counterparts from the u.s. from Aramco and we thought obviously this was a little strange walk in introduce myself ask what's going on all three of them give me business cards stating that they are cultural attache --zz from the Turkish embassy in the Netherlands and they want English lessons now what was quite funny about that was they all spoke English and after contacting security services because obviously this was very strange they were indeed cultural attache --zz with diplomatic immunity from the Turkish

embassy so I was given permission to engage because they wanted to know on what was going on but I had protection at a distance at the same time I was also told that I was found on a top ten list for kidnap or well murder I was actually number two on that list for Isis and this lasted for about two and a half weeks it was conversational English where they tried to ask a lot of questions about the infrastructure of Saudi Aramco and before they left the country very suddenly the lead agent gave me if you can see some prayer beads which I also had checked out by security services because you never know what

materials or if it's bugged or what-have-you so after they were checked out luckily they let me keep them and it culminated with the Secretary's personal gmail account being hacked into it hacked into and when I was able to kick them out of the email system they started sending emails from other accounts they finally threatened that they would blow up a national landmark called the Kerr house during national Saudi day where a lot of dignitaries Dutch royalty ambassadors from all over the world including you know ambassador from Japan and so forth and they said if we did not pay them the fifty million they would actually blow up the hotel with everyone in it luckily I was able to find the perpetrator and

neutralize the threat so what does turkey have to do with it well they're a very interesting country because they have been upping their offensive cyber security talents quite a bit they have a mix between nation state and also patriotic hackers now I live in the Netherlands and we've actually seen some of this where there's been manipulation of some of our elections to back certain Turkish related parties within the Netherlands they've also been able to break into various intelligence agencies including the Saudi minister Foreign Affairs and it's a somewhat well-known not very secret anymore that Turkey has aided Isis being in oil middlemen so to speak service allowing convoys of oil coming from a terrorist group to go through Turkey than to be

sold further on so then we've got other groups which are you know mix between government and perhaps could be some terrorist activity and it looks like we what we have observed is they've been taking a page from Iran because they're using some of the same techniques that they used to use early on so if for some odd reason you get really popular on Facebook and a lot of really good-looking women or men just start sending you pictures and saying hey there you might be targeted because of your role within your organization or your government etc and they can be quite elaborate the different types of false identities they set up there is some malware usage and definitely a lot

of surveillance where usage if you happen to get hooked so if you don't have the people for offensive cyber capabilities or surveillance capabilities but you have the money you can be like UAE and you can hire people who used to work for US intelligence agencies this is actually a quote from a person that was interviewed for project Ravan where the average rate of pay was about 1 million dollars a year to work for UAE and it's a good way to supplement so we have new terms cyber mercenaries and unfortunately they can either be directly hired by the government depending on their nationality or they can work via private companies to skirt those limitations so most recently

this year there was a news article that came out about me because the Iranian government had a two and a half year campaign to try to recruit me to work inside of the country of Iran and to teach them how to hack into critical infrastructure with the focus on nuclear facilities and it was it was quite interesting because they were very persistent it started with a very general basic vanilla LinkedIn message asking for remote teaching contract which I was a bit dubious of because of my city because of my citizenship and various sanctions I can't really just give services to the main or Iranian telecom so what started out as basic moved to encrypted communications lots

of meetings they tried to send me various websites to look at and they offered me a lot of money and trust me I could have used a hundred thousand euro a month which is what their offer was and they kept it up going from US two and a half years and they had set up this very very elaborate campaign many many fake websites different sock puppets or personas the person who first contacted me was what we would call an ancient handler who tries to recruit you this is actually the photograph that he uses on LinkedIn and if you do reverse image search on this you can see that it's a stock photo they had found out

that I was a lecturer for centuries for the protection of critical national infrastructure as part of GCHQ and the united kingdom and that i had spoken at nuclear cybersecurity conferences before and i'd also lectured on-site at multiple nuclear facilities power plants and enrichment plants and that all kind of came to a screeching in because during this time i kept sending the information to an FBI agent who worked in a cyber division unfortunately that FBI agent i don't know what happened may he didn't take me seriously I kept sending names and he never sent it to the appropriate offices within the FBI so I thought it must not be that serious and then last January I got a whatsapp

message from the agent handler from Iran asking me if I could send my home address so that he could send me a gift and when I got the message I was at a retirement ceremony for one of my friends at West Point and I was giggling having some drinks after this ceremony and the person next to me happened to work in the counterterrorism division and worked with the FBI and he took it very seriously and so put me in touch with the appropriate teams and obviously I did not accept the gift and at the same time he disclosed to me that the Netherlands government had found out that the Iranian government had hired contract killers to kill two people here

in the Netherlands who were Iranian exiles so I'm not one to sit around and I wanted a little bit of revenge so I read up a bit about some new laws in Iran and one of them was because of certain religious beliefs they decided that they would mandate any makes gender restaurant or entertainment facility to be watched by IOT cameras by the religious portion of their police and I like IOT cameras as in I like breaking into IOT cameras so I saw this as a great opportunity to peer into all of Iran and it turns out you can do that too so I put a very very basic way that you can actually find some of these

Iranian cameras with just this dork in census I oh you can find over 10 thousand and also a fun tip they can only find by certain materials from certain countries so in this case their most popular type of IOT camera happens to be hikvision and if you use Metasploit at all there's at least two modules you can go ahead and hack into it but because it's countrywide you don't really need to hack they're all set with the same default credentials of admin admin so luckily I shared this with a friend who is the chief strategist for a particular very friendly intelligence organization who is very very pleased that now they could use it for facial

recognition listen to voice conversations if they want and even remotely improve the resolution so be your own spy now we've talked a bit about Cova today and I'm going to introduce a new term be Yoh bring your own house everything has been turned remote including more and more critical infrastructure and the idea that there is perimeter security when you have to work from home that idea is gone it was talked about earlier are corporations buying firewalls for their employees probably not that many are doing that so I scan the internet using a tool recently and I got the top 10 countries the yellow bar you see is the total number of things that say hello on the

internet the orange bar is things that have remote protocols and use that have known exploitable vulnerabilities like FTP old versions of SSH Remote Desktop Protocol VNC etc and what we can see is there's a lot of vulnerabilities out there that have been increased with turning things remote which just means another entry point that you can get into and many of these assets and the yellow actually have multiple vulnerabilities so why is this all important tomorrow July 3rd I've been invited by the United Nations Institute for disarmament research to give a brief presentation with the head of Swiss intelligence and a senior director of Microsoft on what to do about malicious attacks against critical infrastructure and what sort of joint response we

should think about because this idea that warfare doesn't exist or it's just a myth or an airport novel is no more so these slides will be posted if not with security besides Tel Aviv but I also use ResearchGate so I put in some references for everyone a couple of slides and just to give a big shout out to Karen and the B sides Tel Aviv group Dutch Oh sync guy helped with some of the research on unravelling some of the Iranians elaborate campaign against me with some work with an investigative reporter with the Wall Street Journal and if you want to keep in touch I checked Twitter and also LinkedIn so thank you very much everyone