NSA Acknowledges What We All Feared: Iran Learns From US Cyberattacks

After the Stuxnet digital weapon was discovered on machines in Iran in 2010, many security researchers warned that US adversaries would learn from this and other US attacks and develop similar techniques to target America and its allies.

A newly published document leaked by Edward Snowden indicates that the NSA feared the same thing and that Iran may already be doing exactly this. The NSA document from April 2013, published today by The Intercept, shows the US intelligence community is worried that Iran has learned from attacks like Stuxnet, Flame and Duquall of which were created by the same teamsin order to improve its own capabilities.

The document suggests that such attacks dont just invite counterattacks but also school adversaries on new techniques and tools to use in their counterattacks, allowing them to increase the sophistication of these assaults. Iran, the document states, has demonstrated a clear ability to learn from the capabilities and actions of others.

The document, which was prepared for a meeting between the NSA director and the British spy agency Government Communications Headquarters, doesnt mention the Stuxnet attack by name, but instead refers to Western attacks against Irans nuclear sector. Stuxnet targeted machines controlling centrifuges in Iran that were being used to enrich uranium for Irans program.

In addition to attacks against Irans nuclear sector, however, the document also states that Iran learned from a different attack that struck its oil industry. The report says Iran then replicated the techniques of that attack in a subsequent attack called Shamoon that targeted Saudi Arabias oil conglomerate, Saudi Aramco.

Irans destructive cyber attack against Saudi Aramco in August 2012, during which data was destroyed on tens of thousands of computers, was the first such attack NSA has observed from this adversary, the NSA document states. Iran, having been a victim of a similar cyber attack against its own oil industry in April 2012, has demonstrated a clear ability to learn from the capabilities and actions of others.

The latter statement in the document is referring to the so-called Wiper attack, an aggressive and destructive piece of malware that targeted machines belonging to the Iranian Oil Ministry and the National Iranian Oil Company in April 2012. Wiper didnt steal datainstead it destroyed it, first wiping content on the machines before systematically erasing system files, causing the systems to crash, and preventing them from rebooting. Wiper was designed to quickly destroy as many files as effectively as possible, which can include multiple gigabytes at a time, according to researchers at Kaspersky Lab who examined the mirror images of hard drives in Iran that were destroyed by Wiper.

Wiper was the first known data destruction attack of its kind. Although the NSA document doesnt credit the US and its allies for launching the attack, Kaspersky researchers found that it shared some circumstantial hallmarks of the Duqu and Stuxnet attacks, suggesting that Wiper might have been created and unleashed on Iran by the US or Israel.

Many believe it served as inspiration for Shamoon, a subsequent destructive attack that struck computers belonging to Saudi Aramco in August 2012. The document claims Iran was behind Shamoon. The Shamoon malware wiped data from about 30,000 machines before overwriting the Master Boot Record, preventing machines from rebooting. The attack was designed to replace erased data with an image of a burning US American flag, though the malware contained a bug that prevented the flag image from completely unfurling on machines. Instead, only a fragment of the flag appeared. Researchers said at the time that Shamoon was a copycat attack that mimicked Wiper.

Wiper is also believed to have inspired a destructive attack that struck computers belonging to banks and media companies in South Korea in March 2013. That attack wiped the hard drives and Master Boot Record of at least three banks and two media companies simultaneously and reportedly put some ATMs out of operation, preventing South Koreans from withdrawing cash from them. The report does not suggest that Iran was behind this attack.

View post:
NSA Acknowledges What We All Feared: Iran Learns From US Cyberattacks