Iranian hackers may have stolen the Saudi government documents that were later released by WikiLeaks, The Washington Post reported Friday.
The pro-transparency group last week published roughly 70,000 documents it claimed were from Saudi Arabia’s Foreign Ministry. WikiLeaks says it has at least half a million documents in total from the ministry and that more will be released soon.
The group may have gotten its hands on the documents from Tehran-backed digital thieves.
“These events fit a pattern that looks and smells like Iranian-proxy actors,” Jen Weedon, manager of threat intelligence at security firm FireEye, told the Post.
The intrusion could be tied to the ongoing discussions between Iran and six countries, including the United States, to limit Tehran’s nuclear program. Negotiators face a June 30 deadline in the talks.
The Saudis are also battling rebels in Yemen who are allied with Iran.
The digital invaders appear to be part of an Iranian hacking group, dubbed Operation Cleaver, that security firm Cylance uncovered in a December report.
The scale, breadth and duration of Operation Cleaver revealed an Iranian cyber sophistication long suspected and occasionally seen, but rarely confirmed.
“A new global cyber power has emerged,” the report proclaimed. “Iran is the new China.”
Cylance said the group had hit at least 50 companies in 15 critical industries spanning 16 countries.
“A significant global surveillance and infiltration campaign,” the report said.
Internal Saudi ministry emails published by WikiLeaks show that ministry employees believe Operation Cleaver was also focusing on them.
Emails noted malicious activity starting on July 14, 2014. The suspected Iranian hackers gained access to the system using a phishing attack, in which bugged software is embedded in documents or links in emails, according to the internal Saudi memos.
Abdullah al-Ali, head of Kuwait-based security firm Cyberkov, told the Post that the Saudi Foreign Ministry hack compromised “the entire network.”
It’s “the biggest sensitive-data-extrusion disaster since the Internet was introduced to the Middle East,” he added.
Iran has significantly bolstered its cyber capabilities since 2010, when it was hit by a crippling cyberattack that took out a spate of centrifuges used in Iran’s nuclear program.
The virus, known as Stuxnet, has since been traced back to the U.S. and Israel.