Middle East Cyber Security Threat Report 2014

Since my last cybercrime research in 2008[1], cyber security threats have grown and matured. Subsequently, cybercriminals and even terrorists have become capable of carrying out sophisticated cyber-attacks. In this context, cybercrime continues to grow rapidly in the Middle East and takes new paths every day. In contrast, governments in the region are losing millions of dollars annually[2]. As long as governments will be dependable on new technologies and deal with security as a “nice to have”, their ICT infrastructure will be vulnerable to more sophisticated cyber-attacks. Not only ICT, the region witnesses new era of terrorism in which terrorists exploit the 21st century technologies to carry out terrorist attacks; therefore, I suggest that the situation will continue to worsen in 2014.

Politically and religiously motivated attacks

Our region is volatile and instable due to political, economic and social problems. These issues will increase motivated attacks carried out by groups of “Hacktivists” that penetrate or target systems or users for political or religious cause. The majority of cyber-attacks in the region are the work of Hacktivists with a message they want to spread. The so called “Arab Spring” increased these types of attacks and current chaos in the region will escalate conflicts and increase the politically and religiously motivated attacks. Obvious examples are the bloody conflicts in Syria, looming tension between Saudi Arabia and Iran, and the Arab-Israeli conflict.

Study revealed[3] that Syrian Electronic Army, the pro-regime group, used social engineering techniques and malware attacks to target users and NGOs in Syria and other countries. What the study didn’t mention is that other anti-Assad groups[4] are also hacking websites and targeting users on the internet. A group called “Lewa’ Al-Sham” or “Levant Brigade” announced that it hacked TV channels websites[5] that support Assad’s regime. Religion is big player in emerging cyber-attacks, especially website defacement.

Due to change in US policy towards Iran and Saudi Arabia, the Saudi-Iranian tension[6] will increase and will affect Middle East geo-politics; therefore related politically and religiously motivated attacks will grow and will become destructive, especially when carried out by professional hackers.

Most cyber-attacks that originate from within Middle East and target Middle East ICT infrastructure are DDoS attacks[7] and website defacement[8]. But other sophisticated cyber-attacks started to appear in 2012 such as Saudi Aramco[9] and RasGas[10] attacks. What will make things worse is the Iranian nuclear project which still at early stages to develop real nuclear threat. But other players in Middle East especially Saudi Arabia see this as a real threat and will outsource real warheads and “ready-made” nuclear technology from Pakistan[11]. This arm race is dangerous in this unstable region and the fear is growing when one can think of Stuxnet-like[12] attacks that may target this off the shelf nuclear technologies which might result in Middle East Fukushima[13].

The Arab-Israeli conflict is another motive for cyber-attacks in the region. Many online groups are organizing cyber campaigns to attack Israeli[14] websites and reveal financial information. On the other side, Israeli groups are also conducting cyber-attacks against Arabic websites[15]. Although most of the Arab attacks are not state-sponsored and can be categorized as propaganda, Israeli policymakers see this as real threat and consider it “Cyber terrorism”[16] which requires offensive reactions and even military attacks. They also established state-sponsored units[17] to wage Cyberwar with sophisticated capabilities[18].

The chaos in Middle East will also escalate the growing conflicts of Jihad for the Caliphate. Al-Qaeda and its inspired groups will continue to conduct bombing and killing across the region and other form of Jihad is exploiting the new technologies to cause harm. I will publish a dedicated research soon to investigate this phenomenon in the Middle East.

Other dangerous trend we may witness soon in our region is a “Hacker for Hire”. Professional hackers and cyber mercenaries[19] can be hired by governments[20] or private sectors from outside the region to conduct sophisticated cyber-attacks, no matter what the motive is, political[21], religious or financial.

Financial Attacks

When it comes to cyber-attacks for financial gain, Middle East is a fruitful target for cybercriminals because of low level awareness of users, lack of technical and legislative capabilities and the availability of liquid money. Banks in the region are the biggest losers when it comes to financial cyber-attacks as criminals go where the money is. In 2013, a group of cybercriminals stole over $45 million[22] from two banks in the Middle East, Bank of Muscat in Oman and National Bank of Ras Al Khaimah “RAK Bank” in the UAE. Cyber gang hacking into a database of prepaid credit cards belonging to the banks, and then using fake cards to withdraw money from ATMs in 27 countries. The cards database was held by Indian payment processors that got hacked by the cyber gang. Banks and payment processors admitted the attack but that what revealed. There are other attacks that occurred around the clock in the region but no revelation. Some financial institutions may fear losing customers if they reveal that they got hacked. Lack of transparency makes the situation worse as users must know that their accounts are affected and should know how banks will recover and how they will deal with future attacks. It’s important for customers to understand that banks have the responsibility of protecting both their own data and customer’s data. If banks are not responsible, so what will be the point of having security policies at enterprise level? Having security policy is one thing; however, enforcing these policies is another. Enforcing and building out polices is a whole educational awareness process that needs to be addressed effectively.

This is maybe the reason most banks and financial institutions in the Middle East do not have strict policies when dealing with electronic payments. The following issues could be easily spotted in many banks in the region:

–          Payment card statements with full details sent via postal mail

–          Customers allowed to put large sum on not carefully monitored cards

–          Bank websites have web application vulnerabilities such as non-secured login boxes

–          Emailing security-sensitive information insecurely to customers

–          Absent or poor security awareness training and education for employees

–          Poor security policies and absence of training for merchants

–          Loopholes for compliance are available due to corruption (Financial institutions and or merchants can get PCI-DSS, ISO27002 etc. without applying the required guidelines)

–          ATMs are not carefully protected and might be placed at unsafe environment

–          Outsourcing services that are related to sensitive or critical information without paying much attention to the security policies and reputation of the outsourcing partner.

–          Mobile payments are being implemented with the same weakness related to payment cards.

Attackers will not only target large bank banks and financial institutions, they will also target small entities that deal with money such as merchants and POS operators due to their lack of security. The increase of Middle East online consumer habits with the growth of mobile payment platforms will increase risks for payment processors, banks and merchants. Due to the increase of mobile internet in Middle East[23] and the growth of e-commerce sales that reached $27 billion in 2013[24], the region will be big target for cybercriminals. Not only cyber gangs who are interested in Middle East financial data, foreign intelligence agencies are also big players with their state-sponsored attacks[25].

One of the most important reasons that will make the region vulnerable to more sophisticated financial cyber-attacks is the regulation frameworks as hackers and cyber gangs are looking for places with poor or absent regulation to commit their crimes. Cyber regulations are poor in Middle East[26] and even lack the correct definition of cybercrime. Indeed, there are laws dedicated to cybercrime in the region and also cyber-related laws but governments need to update them so often to reflect the rapid change of such hi-tech crimes and should be harmonized with the path of the rest of the world. But due to the political issues, most cyber laws are drafted to suppress freedom of speech and do not address the real threat of cybercrime.  In addition, policymakers are dealing with cyber regulation from old perspective in which crimes committed within specific location. This is completely wrong when dealing with cyberspace as it’s not location dependent. So when they deal with cybercrime law, they have to go beyond their countries as the crime itself is transnational.  As long as governments in the region will not address these issues, financial cyber-attacks will increase in 2014 and I expect that we will see more sophisticated attacks that will target financial institution in the region.

Future Threats: Everything will be hackable

I published research paper in 2011 investigating the 21st threats and Middle East dilemma[27]. I expected that the situation will be worse in future because both governments and users lack future strategies and are looking always to access advanced technologies with consumer mindset. Since this the norm in our region, there will be no progress when it comes to future technologies. Everything will be connected to the Internet to form the new era of “Internet of Things”[28] and we will strive to protect devices that embedded in our homes, offices, cities and even our bodies. This situation might not appear in 2014 but things are moving faster in 21st century and we might see sophisticated attacks target connected devices that will cause panic[29]. This complex and connected world created the Big Data that will result in big benefits and big threats as well[30]. Additional cyber threat that will affect Middle East is cyber-espionage or spying that sparked debate in 2013 with the revelations of NSA surveillance. I expect that cyber-spying activities by western intelligence agencies will continue to grow in 2014 due to political situations, instability, chaos and terrorism. I argue that other players will enter the espionage game in the region. China, with its large numbers of connected electronic devices being used in the Middle East will be one of the biggest players when it comes to cyber espionage. As Middle East center of gravity is shifting from Saudi Arabia to Persian Gulf[31], Iran as a regional superpower and second to Israel, will enter the cyber-espionage game. Consequently, we will witness more dangerous cyber-attacks and cyber threats to originate from Iran and will be carried out by its state-sponsored cyber army[32]. Although Iran’s cyber capabilities couldn’t be compared to US and Israel and even not destructive against them, it might be destructive if used against “vulnerable”[33] Middle East countries. In addition to cyber-attacks, Iran has also access to advanced warfare technologies such as drones that will be used in future attacks as ultimate asymmetric weapons.

Middle East states need to understand that off the shelf technologies will not solve any security issue but it might make things worse. They need to address their internal issues and invest in their human capital to adapt with the 21st century or the consequences will be more dangerous in the years ahead.

[1] El-Guindy, June 2008, ISSA Journal

[2] http://www.symantec.com/connect/blogs/cybercrime-takes-its-toll

[3] https://www.eff.org/document/quantum-surveillance-familiar-actors-and-possible-false-flags-syrian-malware-campaigns

[4] http://www.aawsat.com/details.asp?section=4&article=621701&issueno=11856

[5] http://al-mayadin.com/?p=1013

[6] http://www.newyorker.com/online/blogs/newsdesk/2013/11/why-the-iran-deal-scares-saudi-arabia.html

[7] http://english.alarabiya.net/en/media/2013/05/18/Saudi-Arabia-says-hackers-sabotage-government-websites.html

[8] http://www.aljazeera.com/news/middleeast/2013/05/2013517173246392589.html

[9] http://netsafe.me/2012/08/27/saudi-aramco-cyber-attack-are-we-ready/

[10] http://www.theregister.co.uk/2012/08/30/rasgas_malware_outbreak/

[11] http://www.bbc.co.uk/news/world-middle-east-24823846

[12] http://netsafe.me/2010/09/27/stuxnet-worm-is-it-a-real-cyber-war/

[13] http://netsafe.me/2011/11/18/computer-worms-middle-east-fukushima/

[14] http://thenextweb.com/me/2012/01/18/everything-you-need-to-know-about-the-ongoing-israeli-saudi-hacker-struggle/

[15] http://arstechnica.com/business/2012/01/israeli-and-palestinian-hackers-trade-ddos-attacks-in-rising-cyber-gang-war/

[16] http://netsafe.me/2012/01/09/when-hackers-become-terrorists/

[17] http://www.jpost.com/Defense/IDF-building-elite-hacker-teams-amid-cyber-threat

[18] http://www.idfblog.com/2013/10/09/hackers-beware-idfs-digital-battleground/

[19] http://arstechnica.com/security/2013/09/for-hire-elite-cyber-mercenaries-adept-at-infecting-windows-and-macs/

[20] http://www.cbc.ca/news/technology/nations-are-hiring-cybermercenaries-u-k-report-says-1.1342883

[21] Saudi Arabia tried to hire professional hacker to spy on its citizens but failed:
http://arstechnica.com/security/2013/05/dear-hacker-please-help-us-eavesdrop-on-our-customers/

[22] http://gulfnews.com/business/banking/banks-lose-millions-to-hackers-in-atm-card-breach-1.1181774

[23] http://www.vserv.mobi/insights/ For additional information see http://www.thinkwithgoogle.com/mobileplanet/en/

[24] http://www.statista.com/chart/1223/global-e-commerce-sales-2013/

[25] https://www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution

[26] http://netsafe.me/2012/02/28/cybercrime-legislation-in-the-middle-east/

[27] http://netsafe.me/2011/06/19/21st-century-cyber-threats-and-the-middle-east-dilemma/

[28] http://postscapes.com/internet-of-things-market-size

[29] http://www.forbes.com/sites/kashmirhill/2013/09/04/shodan-terrifying-search-engine/

[30] Check MIT videos on Big threat theory http://senseable.mit.edu/engagingdata2013/videos.html

[31] http://www.telegraph.co.uk/news/worldnews/middleeast/iran/10471443/Richard-Spencer-Allies-may-see-Iran-deal-as-sign-of-superpower-in-retreat.html

[32] http://www.strato-analyse.org/fr/spip.php?article223

[33] Qatar and other Middle East countries turned to US to build cyber-operation centers, read the story: http://www.independent.co.uk/news/world/americas/cyberwar-poses-dilemma-for-us-defence-exporters-8346311.html