When Saudi Arabia contacted security researcher Chris Kubecka to investigate an apparent intrusion into its Dutch embassy’s secured email accounts, she knew it was not going to be a simple case.
Local laws in the Hague did not apply, since the embassy is considered Saudi soil. And it only got more complicated after Kubecka got to work: Once the email account was secured, the attacker — who claimed ISIS affiliation — left a trail suggesting an insider was responsible and then threatened to kill hundreds of innocent people if certain demands weren’t met.
The escalations sent Kubecka, the Saudis, the Dutch and dozens of other diplomats scrambling on an international whodunnit — a hacking case that emphasized the high-stakes challenges and troublesome gray areas that come with securing diplomatic communications.
The particular account that was compromised — the Saudi ambassador’s secretary’s email — was on its secure embassy system, according to Kubecka, whom the Saudi government brought in to investigate while she was also working for the Aramco Overseas Company.
“The way that it was set up there was only one person could read official business emails and [there was] only one system that was supposed to be set up that way,” Kubecka, now CEO of HypaSec, said Wednesday in remarks at the BSides security conference in Las Vegas.
Kubecka would eventually find malware known as an ISR Stealer on a workstation in the Saudi embassy, as CSO previously reported. She also discovered that the emails the attacker sent from the compromised email account were using a residential internet service provider, not a commercial line. Kubecka did not specify whether that traffic was originating inside or outside of the embassy.
“It started getting very strange. The official business email account was using a residential ISP line, not a commercial line, and had no security — except it had a password that was ‘123456,’” said Kubecka, who was brought on because she had previously helped recover Saudi Aramco from the Shamoon virus.
The first tipoff came in 2014 when a doctor got in touch with the ambassador to warn that when applying for a visa, the response was an email from the ambassador’s secretary asking for 200 euros to be wired through MoneyGram. The doctor found this suspect — and indeed, it was not the secretary sending emails at all, just the attacker, who later claimed to be ISIS, Kubecka said. ISIS has long resorted to extortion schemes to fund its terrorism. In 2015, the practices brought in $360 million, according to Foreign Policy.
The only hiccup to the attacker’s extortion plan in 2014, however, was that the Saudis had stopped issuing most visas for Dutch citizens at the time — something that an outsider may not have known then. The year before, a Dutch politician, Geert Wilders, had distributed anti-Islam stickers causing a rift between the two countries.
The embassy worked to secure the email account and tweaked the weak password to get rid of the threat. But the extortion attempts continued. The next attempt came from the same email account — apparently not secured, after all — and it targeted the secretary personally with a demand for $35 million. In a similar attempt, the attacker targeted Gulf Cooperation Council member states, including Qatar and Oman, asking for $25,000 each. The emails were signed simply, “Embassy ISIS.”
It is unclear if the attacker was indeed acting at the behest of ISIS.
The extortion attempts, which continued to grow in monetary value up to $50 million and which eventually were accompanied by death threats, show how just one unauthorized email access at a diplomatic station can create an international crisis.
“Geopolitics now play a huge part in cybersecurity, good or bad,” Kubecka said in Las Vegas. “And people can die if something goes wrong.”
The insider threat
The Dutch Diplomatic Police emailed other embassies around The Hague amid all the threats. But they made one mistake — they used the cc field on the email, not bcc, exposing many diplomatic email addresses. Because the attacker still had access to the Saudi email account, they had a whole host of new targets.
Armed with new email addresses, the attacker escalated the demand to $50 million and threatened to kill approximately 400 dignitaries at an upcoming event, Kubecka said.
That’s when the situation became urgent at the embassy, Kubecka said. The ambassador, the secretary and Kubecka suspected one Saudi national who worked at the embassy of involvement, and when night fell one evening, they hunted for evidence.
“The Saudi Arabian embassy did not want to be associated with an ISIS agent who was threatening to kill over 400 people,” Kubecka said. “The ambassador and myself … actually got on our hands and knees looking underneath desks for various passwords to get into the suspect’s account. I’ve never seen an ambassador get on his hands and knees … but that was actually how severe the situation was.”
Kubecka analyzed the evidence, which she did not detail in her talk, and uncovered how the Saudi national was maintaining access.
“I found the way that the perpetrator was still on the backend of the system: a forwarder,” Kubecka said. Copies of inbound emails were going to a proxy account, and another email rule was trashing everything that would have otherwise gone to the real account. Kubecka added that there was some malware found on the computer system — a rootkit, which can allow remote access and administrator control access.
“Their apparatus for dealing with this stuff was not very good.“ Kubecka said about the Saudis, noting that for its Transport Layer Security certificate — which helps encrypt traffic and provides some identification — the Saudi Ministry of Foreign Affairs’ secured email system was using a Cisco demo certificate, which Cisco itself warns “cannot offer a verifiable connection.”
Kubecka added that the embassy didn’t have any antivirus software and instead relied on Windows Essentials, which has offered poor protection from malware in the past.
The case had one final twist: The suspect — a Saudi national — was from a prestigious family, Kubecka said.
“There’s a lot of, let’s say, family favors or people that come from certain families that end up getting these kinds of jobs. You couldn’t just send this certain individual back,” Kubecka said. “Instead it was decided to reassign this particular person to an extremely dangerous location.”
After they arrived to their new post, that person was killed in a car bombing, Kubecka said.
Representatives from The Netherlands, Saudi Arabia, Oman, and Qatar did not immediately respond to requests for comment.