Bloody cyber-war raging in the Gulf


Believe it or not,a bloody cyber-war is raging in the Gulf region with what were once local one-upmanship games for dominance becoming internecine, inter-state battles to the glee of foreign contractors and mercenaries specializing in cyberwar technologies. Spywares, such as Pegasus, have come to put premium even on the head of political dissidents to the dismay of rights campaigners.  Well, it may sound unbelievable but Pegasus’s surveillance capacity is nearly limitless. It can control cell phones, record conversations and even photograph all those in the vicinity of the phone.

Frankly, the Gulf region is not new to offensive cyber ops. These date back to November 2007 when the US and Israel had closed ranks to cripple the Iranian nuclear program with a jointly developed malware, Stuxnet.    It took Tehran three years to ‘discover’ the damage caused at its Natanz uranium enrichment plant and other N- facilities.  “Operation Olympic Games” destroyed over five thousand centrifuges out of an estimated nine thousand in use, and delayed Iran’s nuclear progress by more than a year.

What is unfolding these days is much wider in scale and concept.

Saudi Arabia, UAE, Israel and Iran are at the forefront of the new cyber-war. Their allies are in toe pursuing their own games.

While Riyadh wants to undermine Tehran in all its glory, Tel Aviv’s campaign seeks to engineer regime change and bottle nuclear ambitions of Ayatollahs. Iranian financial and energy infrastructure is the focus of Israel’s malware, known as Wiper and Flame.  Iran’s central bank, Ministry of Culture and drilling platforms were targeted besides nuclear facilities in 2012 by Unit 8200, Israel’s equivalent of the American NSA.   The ‘stars’ virus infested governmental computer systems.  The Duqu Trojan prepared the stage for further strikes by stealing data.

Retaliation from Iran is on no less small scale with its focus as much on espionage as disruption.

Basij, which operates under the Islamic Revolutionary Guards Corps (IRGC), has created a “cyber army” with thousands of hacker-egg heads recruited from universities and religious schools.  Unlike the American and Israeli cyber operations, which are conducted by professional intelligence agencies backed by bottomless budgets, Iran’s capabilities are modestly funded.  Believe it or not the Iranian hacker campaign is disorganized as well.  They are exclusively overseen by the IRGC and are composed of a scattered set of independent contractors.  They have, nevertheless, proved that even a poor man can produce cyber weapons that have lethal effect.


So it will be fair to talk about Iranian cyber adventurism first.

Early last year (2017) Iranian group, Leafminer, targeted networks in Saudi Arabia, the UAE, Qatar, Kuwait, Bahrain, Egypt, Israel and Afghanistan.  Its weapons were two strains of custom made malware, Trojan Imecab and Backdoor Sorgu, according to cyber security major, Symantec.  Trojan Imecab was used to set up a persistent remote access account on the target machine with a hard-coded password while Backdoor Sorgu enabled remote access.

Iranians have not spared the US.  Defacement of Voice of America’s websites was amongst their first disruptive acts against the ‘Big Satan’.  A group styled as the Izz ad-Din al-Qassam Cyber Fighters focused on the American financial sector with its “Operation Ababil”.  It caused hundreds of millions of dollars in damage.  The hackers stole more than 31 terabytes of data for financial gain. Among the victims were 36 American companies and five American governmental agencies besides 144 American universities.

No surprise, it was the most destructive cyber-attack of the time on the United States. It was the act of two Iranian corporate entities that employed at least seven persons, according to the indictment delivered by the US Justice Department eight months back.   Three of them were part of the Sun Army, an Iranian defacement group, whose modus operandi is similar to Iranian Cyber Army and other state-aligned teams.

An Iranian espionage campaign, “Operation Madi,” has claimed upto 800 American victims. It was the handiwork of Mortal Kombat Underground Security Team, a small group.  Iranians are also said to have gained access to the unclassified US Navy Marine Corps Intranet.

Just ahead of re-imposition of N-sanctions recently, the US came under renewed Iranian attack, according to cyber security firm FireEye’s report released on 18th September.  A group identified as Advanced Persistent Threat 33 (APT 33) used phishing e-mail attacks with fake job opportunities to gain access to an American aerospace organization amongst others. The username of the group links it to the Nasr Institute, a hacking group believed to be controlled by the Iranian govt.

Just before this audacious attempt, Iranians targeted seven Middle Eastern countries – not for one day or one month but for three long years between 2015 and 2017.   A network reconnaissance outfit, APT 34, carried out these attacks, according to Fire Eye. The targets were financial, energy, telecommunications and chemical companies. The group came to light because it logged into virtual private networks, VPNs, from Iranian IP addresses, was active during normal Iranian business hours and occasionally leaked Iranian addresses and phone numbers.

Iran also stands accused of mounting many cyber-attacks against GCC countries. Of them, Operation Cleaver is particularly significant.  It was a series of coordinated cyber-attacks that infiltrated Kuwait, Saudi Arabia, Qatar and the UAE targeting oil and gas industries, telecommunications, airports, government entities.

Surprisingly, the Iranian hackers are not Iranian diaspora, as many like to believe. An analysis of the documented Iranian hackers shows that they are solely Iranians operating inside Iran; well they benefitted from freelance Russian hacker – trainees. That is beside the point.


Saudi Arabia’s interest in cyber security was a sequel to Iran’s attack on its national oil company Aramco twice in 2012 and 2016. The Iranian hackers broke into the company’s digital infrastructure, infested over 30,000 computers with virus, “Shamoon”, and posted sensitive data on the internet. This resulted in Aramco’s shut down for a while. In defence of Iran, it is said that the trigger was provided by an attack on its major oil terminal at Kharg Island.    The hackers owed allegiance to a group called ‘Cutting Sword of Justice’. In a statement they blamed Saudi Arabia for crimes and atrocities in several countries, including Syria and Bahrain.

The 2016 malware strike on Aramco was well timed at the start of the weekend so as to reduce the likelihood of discovery before maximum harm could be inflicted.  Aramco and several of its ancillary companies, located in the hub of the Saudi petrochemicals industry, were forced to shut down their networks.  Further attacks against the Aramco were reported last year (2017), which were assisted by freelance Russian hackers.

Riyadh has since created a variety of institutions to combat cyber threats and has also tied up with foreign state agencies as well as private companies in the US, Israel and Europe.  On its part Washington has increased its support for the development of Saudi Arabia’s cyber capabilities under a $110 billion modernization deal.  Crown Prince Mohammed bin Salman’s brain child Taqnia Cyber, a subsidiary of Public Investment Fund, is being pump primed to become his cyber force for security, and intelligence operations.

The UAE has built an extensive cyber warfare capability than any other state in the Gulf region.  This protective ring has become an absolute necessity as it is the most targeted country in the Middle East and the 25th most-targeted globally.  Five percent of all global cyber-attacks targeted the Emirates last year.


While battling Iran for regional supremacy, Saudi Arabia and its ally, the UAE are trying to undermine Qatar and Oman with cyber bugs.  The first such ops was mounted in April- May 2017, which demolished the myth of unity amongst the member nations of Gulf Cooperation Council (GCC).

According to sequence of events now available, the attack began on the evening of 19 April 2017 when hackers placed a bug on the website of Qatar news Agency (QNA). Soon afterwards, the Emirati cyber warriors exploited a vulnerability in QNA internal network code, gained full control of the entire network and began mining data and text. On 23rd May, the hackers took over QNA’s system just before mid-night and posted “incendiary” quotes attributed to Qatari Emir’s speech at a military graduation ceremony.

The post was “tailored” to appear praising Iran as an Islamic power, hailing Hezbollah and Hamas as resistance movements and criticizing the regional policies of the United States.  As if on cue, Saudi and Emirati media launched a blitzkrieg to malign Qatari Emir.

Qatari authorities promptly sought assistance from the US, which dispatched FBI officers to Doha for investigation.  Their findings show that the QNA website experienced a 15-minute surge in the number of visits – 41 visits – originating from the UAE in particular.  The hike in the number of visits showed the hackers’ eagerness to make sure that the planted news had been circulated.

The Washington Post has corroborated the “hacking” story, quoting its information to American intelligence officials.  “The United Arab Emirates has orchestrated the hacking of Qatari government news and social media sites in order to post incendiary false quotes attributed to Qatar’s Emir that sparked the on-going upheaval between Qatar and its neighbours,” the American daily reported.  The Post further stated: “data analysis by US intelligence agencies has confirmed that senior members of the UAE government discussed the plan and its implementation a day before the attack”.

A big boost to Qatar’s campaign against the UAE has come from an entirely unexpected quarter.

Global Leaks, an obscure group of hacktivists with a Russian e-mail address, has hacked into the Hotmail account of Yousef al-Otaiba, the UAE ambassador in Washington DC, and obtained  communications exchanged between senior Emirates officials, think-tanks, PR executives and journalists “as a part of UAE lobbying efforts to shape American foreign policy narrative biased against and detrimental to Qatar”.

To the great satisfaction of Qatar, the Global Leaks gave the hacked e-mails to The Intercept, an on-line investigative portal, for publication.


At least one group of hackers, who are either Russians or want to be identified as Russians, appears to be working overtime as freelancers for a number of Gulf States; their methods have a striking resemblance to the methods adopted to hack into the Emirati ambassador’s mail box.  A number of Emirati diplomats as well as other public figures in the Gulf region have also been their targets.  Researchers Collin Anderson and Cladio Guarnieri have nicknamed the group as Bahamut.

Latest development on Qatar-UAE cyber spat has another American twist.

A prominent Republican fundraiser, and lobbyist, Elliott Broady, who is also a Trump ally, has gone to the town with a legal campaign against the Qatari government and its agents in Washington, DC. He runs an intelligence firm, Circinus, and it has a multi-million dollar contract with UAE.

“My e-mail accounts are hacked and stories damaging my reputation are put out in the American papers”, he claims.  The leaked/hacked emails showed Broady reporting to UAE representatives regarding the meetings he had held with President Trump and senior administration officials.

Qatar’s natural gas company, RasGas, has also faced ‘cyber music’, resulting in the shutdown of its website and email servers for some time. This was the handiwork of the Iranians, who also targeted the Saudi Aramco in the first wave of attacks. The RasGas digital infrastructure that controls production and delivery was not affected though.  Two years ago, in 2016, a more damaging attack occurred, and the target was Qatar National Bank (QNB), one of the largest in the Middle East.  Hackers managed to steal massive amount of data including about half a million accounts and published them online.  One “folder” was labelled SPY reportedly containing information about British (MI6), American, French, and Polish intelligence agents stationed in Qatar.  Other folders had labels that read: Al Thani Royal family, State Security Bureau, Ministry of Defence and Al Jazeera.


Now cut to cyber warfare targeted at dissidents in the Gulf countries.

The brutal murder of dissident cum journalist Khashoggi at the Istanbul consulate of Saudi Arabia is only a tip of the iceberg. Cyber tools and other infrastructure created by an Israeli company were used to lure him to meet his end.

Edward Snowden, the whistle blower on American covert cyber operations, who has taken refuge in Russia, has disclosed that the NSO Group supplied Pegasus spyware used in the Khashoggi operation.

This very software was installed on the phone of Omar Abdulaziz, another exiled Saudi dissident and a friend of Khashoggi.  The two were in regular cell phone contact and had no clue to being monitored by Saudis.

Canadian research institute, Citizen Lab, has unearthed extensive abuse of Pegasus spyware to target civil society by authoritarian regimes, Saudi Arabian, Emirati and Kuwaiti including.

Like Saudis, the UAE has made extensive use of spyware technologies to target political dissidents.  Ahmed Mansoor, a human rights activist, is the latest victim. The spyware was installed on his telephone thus keeping him under continuous monitoring.  His email account was hacked and an amount of $140,000 was ‘stolen’ from his bank account. Mansoor has since been put behind bars.

There is an Israeli angle to the Emirates ops.

US-Israeli firm, Verint, is the lead contractor for its interception agency.  Emirati authorities have also set up a well-funded private company, Dark Matter, to create advanced surveillance apparatus with the Israeli Pegasus programme as the backbone.  Eighty per cent of Dark Matter’s revenues reportedly come from Signal Intelligence Agency, the Emirati equivalent of American National Security Agency (NSA).  Of course, the United States has been the primary source of the Emirate’s military and intelligence apparatus, including cyber-warfare capabilities.

The honour of most highly surveilled country, however, goes to Iran, going by Edward Snowden’s leak on a tool known as “Boundless Information”.  The ‘beneficiaries’ are the intelligence agencies of the US and its partners, who have amassed billions of Iranian internet and telephone records.

Implications for India?

Honestly, there is no reason for any immediate worry to India from the unfolding Gulf Cyber war and the consequent thriving business for foreign cyber agencies and mercenaries from the US, Israel, and Russia. It cannot, however, put on blinkers.

India has several business interests in the region.  Chabahar Port, India is building in Iran despite the US sanctions regime, has a strategic importance, particularly in view of maritime cyber-attacks, which have become a growing menace with several actors, both official and mercenary, sharpening their tools.

Anyhow India also is not immune to such attacks. For instance, operations at India’s largest container port, Jawaharlal Nehru Port were hit last year by Ransomware attacks.

Indian telecom companies play a significant role in the Gulf countries providing wholesale data services to regional operators.  The GCC is the largest regional-bloc trading partner for India accounting for about $ 104 billion in the last financial year.  Remittances from about 7.6 million NRIs in the region account for over 54 per cent of the total such receipts of over $ 70 billion.

With such high stakes, it will be in India’s interest to put on a thinking cap.