An attacker claiming to be ISIS took control of the official email account of the Saudi Embassy in the Netherlands in August, 2014 and sent emails to more than a dozen embassies at The Hague demanding $50 million for ISIS, or they would blow up a major diplomatic reception, documents seen by CSO reveal.
The attack compromised the Saudi embassy's non-classified computer network. The attackers deployed a garden-variety rootkit on the workstation of the ambassador’s secretary and took over the embassy's official email account.
No one was ever formally held accountable, despite an internal investigation. Given the low sophistication of the attack, experts tell CSO it's impossible to say whether the attacker really was part of an organized effort by ISIS, a random supporter, or a nation-state intelligence agency masquerading as ISIS for motives unknown.
The story began with a bizarre attempt to defraud a Saudi schoolmaster in the UK of a €200 visa fee and ended with a $50 million ransom demand and a manhunt by the Dutch diplomatic police as the clock ticked down to September 23, Saudi National Day.
Documents obtained by CSO provide details of the attack and the Saudi response. This provides an interesting window into how a government might react to a suspected nation-state attack and raises questions about the level of security deployed at embassies around the world.
Update: Our anonymous source comes forward to tell her story at BSides Las Vegas on August 7,
Today the anonymous former Saudi Aramco employee who provided CSO with the internal embassy report reported on here came forward to tell her story on stage at BSides Las Vegas. Her name is Chris Kubecka, and you can watch her presentation, The Road to Hell is Paved with Bad Passwords, on the BSidesLV Common Ground live stream.
The first indicator of compromise
According to the documents, the embassy first became aware that something was amiss when Dr. Sumaya Alyusuf, previously in the news herself a decade ago as the head of a British school that owned radical Islamist textbooks funded by the Saudi royal family, emailed the Saudi embassy asking for assistance in procuring a visa to India and was subsequently asked to wire €200 via MoneyGram.
The attacker, then in control of the official Saudi embassy email account, replied to Alyusuf on August 26, 2014 demanding the money be sent via MoneyGram to Mohammed bin Nawaf bin Adbul Aziz, the Saudi ambassador to the UK at the address of the Saudi embassy in London. "Immediately I received your response I will immediately ensure fast release of visa to you," read the email. It remains unclear how, or if, the perpetrator expected to collect this €200 fee.
Alyusuf telephoned the secretary to the Saudi ambassador to enquire about this strange request, the documents show. Realizing something was amiss, the secretary asked Alyusuf to forward the emails to her personal Gmail account. The secretary then informed the ambassador of the incident.
The ambassador began an investigation. The incident response team discovered evidence in the Saudi embassy's webmail account of the emails sent to Dr. Alyusuf. The embassy's unclassified network was using a residential internet service provider at the time, with an associated email account for official embassy correspondence. The password for the email account was "123456." Since the secretary's workstation was configured to use POP3/SMTP, and she never used the webmail interface directly, it was clear the webmail had been compromised.
Further investigation by the embassy discovered malware installed on the secretary's workstation. CSO shared the malware hashes with Brandon Levene of Chronicle, part of the Alphabet/Google group of companies, to check on VirusTotal. The hashes match the Autorit family of malware, which is frequently used to deliver the password-stealing ISR Stealer payload.
"This malware, ISR Stealer, is a modified version of a malware family called HackHound," Levene writes by email. "You can easily find YouTube videos explaining how to get and build it. I'd rate accessibility as readily available (and has been so for 5-plus years)."
Hashes for the second-stage ISR Stealer payload aren't available so CSO was unable to identify the specify binary used and reverse engineer it to determine the location of the command and control server the malware connected to.
In response to this incident, embassy IT staff wiped the secretary's workstation, reinstalled Windows to remove the malware, and changed the email account's password to something stronger than "123456."
Extortion escalates to $50 million and a bomb threat
Two weeks later, on Saturday, September 6, 2014, the secretary to the Saudi ambassador received a spoofed email pretending to be from the now-secured official Saudi embassy email, to her personal Gmail account. The email demanded that she send $35 million to support ISIS or they attacker would blow up the Saudi Arabian National Day festivities in The Hague on September 25, an embassy reception that would host hundreds of diplomatic VIPs.
That weekend, the attacker sent similar spoofed emails to more than a dozen other embassies at The Hague, including the embassy of the Sultanate of Oman, the embassy of Pakistan, plus two separate Dutch ministries. The spoofed emails were sent from an email service in India and some were sent via an open proxy in Nigeria.
The spoofed emails to the embassies demanded the smaller amount of €25,000. One read, "I will like to have your support financially, to control some treat coming to the embassy recently is a matter of urgency as many important life are treaten, it is the ISIS the islamic set and I want you to keep this confidential if you can transfer 25,000 euros to my by tuesday let me know so, that I will give you a confidential account for it. Help me save many innocent life."
The Dutch Diplomatic Police, who have jurisdiction over crimes involving diplomatic personnel in the Netherlands, sent out a threat advisory to other embassies in The Hague. On September 9, the following Saturday, the attacker, once more spoofing the official Saudi embassy email address, forwarded a copy of the threat alert to several embassies and raised their extortion demand to $50 million. The incident response team scrambled to figure out how the attacker gained access to the confidential advisory.
With only two weeks to go before the Saudi National Day celebrations, the investigators discovered three suspect configuration rules. One automatically forwarded a copy of all incoming email to the Saudi official email account to a live.com proxy email account. This gave the attacker visibility into all incoming official email to the embassy.
The second rule sent all incoming emails to the official embassy email from the secretary to the ambassador's personal Gmail to trash. The third rule was all incoming emails from Dr. Sumaya Alyusuf's work email address were also sent to the trash.
The incident response team disabled these rules and shared them with the Diplomatic Police. Neither Alyusuf nor the secretary to the Saudi ambassador, nor the embassy itself, responded to our emails requesting comment.
Hack attribution unknown
It remains an open question who was responsible for the disruptive attack. The low sophistication of the attack means it could have been anyone. Former cybercrime investigator for the U.S. Department of Defense (DoD), Jim Christy, tells CSO, "It sounds like it's a pretty pedestrian attack. Could be anybody, could be a kid, could be a group, could be a country masqerading as ISIS using less sophisticated tools."
"We see that often," he adds. "If they don't have to use their secret sauce, something pedestrian works."
Levene agrees the low sophistication of this attack makes attribution difficult. "I do not have hands-on experience with tooling used by ISIS," he writes by email, "but my team has indicated that ISIS's technical acumen and tooling would place them square in this realm of sophistication (i.e., using off-the-shelf, easily accessed/free/cracked tools)."
However, counterterrorism expert Max Abrahms tells CSO that geopolitically it makes little sense that ISIS would attack a Saudi Arabian embassy. “Why would they attack Saudi Arabia?” he asks, noting that a large number of Saudi nationals joined ISIS as foreign fighters. “No country has an ideology more similar to ISIS's than Saudi Arabia's.”
Abrahms raised the possibility that Turkey could have been behind the attack. “When Turkey thinks of terrorism, it doesn't think first of ISIS; it thinks first of the Kurds,” Abrahms says. “There's an obvious motive to helping ISIS.”
As for whodunit, no one is quite sure. One thing we can say with confidence: Don’t use “123456” as the password for your official embassy email account.