Passwords are a weak form of protection and complacency runs high. We might not think that we, as individuals, would be unlucky enough to be targeted by hackers, or that we’re worth hacking at all. But that complacency extends from smartphone-toting citizens right up to government contractors and employees of multinational corporations.
This week, Microsoft said it had seen a surge in activity from a suspected state-sponsored group of hackers, thought to be Iranian, targeting companies in the Middle East working in defence, fossil fuels and maritime transportation. Its strategy? Guessing the passwords of Microsoft Office 365 users. Its success rate? Of more than 250 targets, fewer than 20 systems were compromised. The spoils? Data such as shipping plans, logs and satellite imagery, which, Microsoft says, could assist with Iran’s developing satellite programme.
It wasn’t a sophisticated attack, but it was an effective one. Microsoft says it used a freely available research tool to blast a series of commonly used passwords at vulnerable systems. Known as “password-spraying”, the technique is more about brute force than subtlety, but any large organisation will inevitably have a small number of systems protected by weak passwords, and these provide an incredibly convenient point of entry.
A survey conducted earlier this year by software firm Keeper Security found that more than a third of employees have incorporated their company's name into a new work-related password. The company also reported high usage of family names or birth dates. For state-sponsored hackers with a wealth of tools at their disposal, accounts secured in this way are the lowest of low-hanging fruit.
Such hackers are known as APTs, or “advanced persistent threats”, and security monitoring groups give them codes to match. The North Korean APT38, for example, also known as the Lazarus Group or Zinc, has achieved a number of successful, high-profile attacks – including a crippling one on Sony Pictures – going back as far as 2009. Their aims and strategies are self-evident: they have specific objectives to disrupt, steal or observe – usually for political or economic ends – and crucially they have the skills, time and resources to succeed.
Proving that nation states are behind APTs and their attacks is difficult; the origin of a single cyber attack is hard to detect and responsibility for it is easy to deny. But the label “state-sponsored” can cover a multitude of different involvements - some hacker groups may be tightly integrated within government departments, while others could be third parties to which governments choose to turn a blind eye because their aims happen to align very neatly. The current world leader in hacking is, according to Microsoft, Russia, as it says 58 per cent of attacks from July 2020 to June 2021 originated there, with North Korea second (23 per cent) and Iran third (11 per cent). The US and Ukraine were the most besieged by cyber attacks, receiving 46 per cent and 19 per cent, respectively.
The coronavirus pandemic has seen an escalation in nefarious activity, with Google reporting bad actors using 'Covid-related themes' to attack US government employees
The recent breach of a handful of systems via Microsoft Office would seem, on the face of it, to be a comparatively minor incident. But the past decade has demonstrated the potential that state-sponsored hackers have to wreak havoc. In 2017, the so-called “WannaCry” attack, thought to have originated in North Korea, caused huge disruption to health services in the US and the UK, along with Russian banks and corporations including Nissan. In 2018, hackers in Russia conducted a mass cyber-campaign against home routers and ISPs around the world, with weak passwords again providing them with easy pickings. In 2017, Iran was suspected of a malware attack that caused infrastructure systems in Saudi Arabia to be shut down. Connectivity has brought with it vulnerability.
The coronavirus pandemic has sparked an escalation in nefarious activity, with Google reporting bad actors using “Covid-related themes” to attack US government employees through phishing scams (including posing as fast-food outlets), while Microsoft reported a Russian hacking group called Strontium (APT28) using password-spraying in an attempt to infiltrate medical agencies working on a vaccine.
Crucially, if a weak password gives hackers a foothold, it may be possible for them to gain privileges to access other systems within the organisation. In July, the US government, in response to the rising incidence of malicious cyber activity, offered rewards of up to $10 million for information that would help authorities track down those responsible.
Multimillion-dollar rewards may well help in the fight against these attacks, but Microsoft and Google are also working with companies to prevent something as critical as national security hanging on something as threadbare as a weak password. Microsoft is urging greater use of two-factor authentication (where an extra pass key is required alongside a password) or, more preferably, sign-in methods that don’t use passwords at all. It has recently encouraged wider use of an app, Microsoft Authenticator, which signs in neatly with bolstered security. This week, Google provided 10,000 users deemed at high risk of state-sponsored attacks (activists, journalists, government employees), with free USB security keys to replace their passwords altogether.
Step-ups in security, of course, merely prompt hackers to become more ingenious. Some dispute the validity of the term “cyber warfare”, given that the cyberattacks have neither the scale nor the brutality of actual war. But both sides are mustering all their resources, and the battle – as we are seeing – is undoubtedly real.
The Greatest Royal Rumble card as it stands
The Greatest Royal Rumble card as it stands
50-man Royal Rumble - names entered so far include Braun Strowman, Daniel Bryan, Kurt Angle, Big Show, Kane, Chris Jericho, The New Day and Elias
Universal Championship Brock Lesnar (champion) v Roman Reigns in a steel cage match
WWE World Heavyweight ChampionshipAJ Styles (champion) v Shinsuke Nakamura
Intercontinental Championship Seth Rollins (champion) v The Miz v Finn Balor v Samoa Joe
United States Championship Jeff Hardy (champion) v Jinder Mahal
SmackDown Tag Team Championship The Bludgeon Brothers (champions) v The Usos
Raw Tag Team Championship (currently vacant) Cesaro and Sheamus v Matt Hardy and Bray Wyatt
Casket match The Undertaker v Chris Jericho
Singles match John Cena v Triple H
Cruiserweight Championship Cedric Alexander v tba
GULF MEN'S LEAGUE
Pool A Dubai Hurricanes, Bahrain, Dubai Exiles, Dubai Tigers 2
Pool B Abu Dhabi Harlequins, Jebel Ali Dragons, Dubai Knights Eagles, Dubai Tigers
Opening fixtures
Thursday, December 5
6.40pm, Pitch 8, Abu Dhabi Harlequins v Dubai Knights Eagles
7pm, Pitch 2, Jebel Ali Dragons v Dubai Tigers
7pm, Pitch 4, Dubai Hurricanes v Dubai Exiles
7pm, Pitch 5, Bahrain v Dubai Eagles 2
Recent winners
2018 Dubai Hurricanes
2017 Dubai Exiles
2016 Abu Dhabi Harlequins
2015 Abu Dhabi Harlequins
2014 Abu Dhabi Harlequins
Sri Lanka squad for tri-nation series
Angelo Mathews (c), Upul Tharanga, Danushka Gunathilaka, Kusal Mendis, Dinesh Chandimal, Kusal Janith Perera, Thisara Perera, Asela Gunaratne, Niroshan Dickwella, Suranga Lakmal, Nuwan Pradeep, Dushmantha Chameera, Shehan Madushanka, Akila Dananjaya, Lakshan Sandakan and Wanidu Hasaranga
Dubai Bling season three
Cast: Loujain Adada, Zeina Khoury, Farhana Bodi, Ebraheem Al Samadi, Mona Kattan, and couples Safa & Fahad Siddiqui and DJ Bliss & Danya Mohammed
Rating: 1/5
Avatar: Fire and Ash
Director: James Cameron
Starring: Sam Worthington, Sigourney Weaver, Zoe Saldana
Rating: 4.5/5
hall of shame
SUNDERLAND 2002-03
No one has ended a Premier League season quite like Sunderland. They lost each of their final 15 games, taking no points after January. They ended up with 19 in total, sacking managers Peter Reid and Howard Wilkinson and losing 3-1 to Charlton when they scored three own goals in eight minutes.
SUNDERLAND 2005-06
Until Derby came along, Sunderland’s total of 15 points was the Premier League’s record low. They made it until May and their final home game before winning at the Stadium of Light while they lost a joint record 29 of their 38 league games.
HUDDERSFIELD 2018-19
Joined Derby as the only team to be relegated in March. No striker scored until January, while only two players got more assists than goalkeeper Jonas Lossl. The mid-season appointment Jan Siewert was to end his time as Huddersfield manager with a 5.3 per cent win rate.
ASTON VILLA 2015-16
Perhaps the most inexplicably bad season, considering they signed Idrissa Gueye and Adama Traore and still only got 17 points. Villa won their first league game, but none of the next 19. They ended an abominable campaign by taking one point from the last 39 available.
FULHAM 2018-19
Terrible in different ways. Fulham’s total of 26 points is not among the lowest ever but they contrived to get relegated after spending over £100 million (Dh457m) in the transfer market. Much of it went on defenders but they only kept two clean sheets in their first 33 games.
LA LIGA: Sporting Gijon, 13 points in 1997-98.
BUNDESLIGA: Tasmania Berlin, 10 points in 1965-66
What sanctions would be reimposed?
Under ‘snapback’, measures imposed on Iran by the UN Security Council in six resolutions would be restored, including:
- An arms embargo
- A ban on uranium enrichment and reprocessing
- A ban on launches and other activities with ballistic missiles capable of delivering nuclear weapons, as well as ballistic missile technology transfer and technical assistance
- A targeted global asset freeze and travel ban on Iranian individuals and entities
- Authorisation for countries to inspect Iran Air Cargo and Islamic Republic of Iran Shipping Lines cargoes for banned goods
The specs
Engine: 2.0-litre 4cyl turbo
Power: 261hp at 5,500rpm
Torque: 405Nm at 1,750-3,500rpm
Transmission: 9-speed auto
Fuel consumption: 6.9L/100km
On sale: Now
Price: From Dh117,059
UAE currency: the story behind the money in your pockets
Jetour T1 specs
Engine: 2-litre turbocharged
Power: 254hp
Torque: 390Nm
Price: From Dh126,000
Available: Now
Five expert hiking tips
Always check the weather forecast before setting off
Make sure you have plenty of water
Set off early to avoid sudden weather changes in the afternoon
Wear appropriate clothing and footwear
Take your litter home with you
Diriyah%20project%20at%20a%20glance
%3Cp%3E-%20Diriyah%E2%80%99s%201.9km%20King%20Salman%20Boulevard%2C%20a%20Parisian%20Champs-Elysees-inspired%20avenue%2C%20is%20scheduled%20for%20completion%20in%202028%0D%3Cbr%3E-%20The%20Royal%20Diriyah%20Opera%20House%20is%20expected%20to%20be%20completed%20in%20four%20years%0D%3Cbr%3E-%20Diriyah%E2%80%99s%20first%20of%2042%20hotels%2C%20the%20Bab%20Samhan%20hotel%2C%20will%20open%20in%20the%20first%20quarter%20of%202024%0D%3Cbr%3E-%20On%20completion%20in%202030%2C%20the%20Diriyah%20project%20is%20forecast%20to%20accommodate%20more%20than%20100%2C000%20people%0D%3Cbr%3E-%20The%20%2463.2%20billion%20Diriyah%20project%20will%20contribute%20%247.2%20billion%20to%20the%20kingdom%E2%80%99s%20GDP%0D%3Cbr%3E-%20It%20will%20create%20more%20than%20178%2C000%20jobs%20and%20aims%20to%20attract%20more%20than%2050%20million%20visits%20a%20year%0D%3Cbr%3E-%20About%202%2C000%20people%20work%20for%20the%20Diriyah%20Company%2C%20with%20more%20than%2086%20per%20cent%20being%20Saudi%20citizens%0D%3C%2Fp%3E%0A
Sholto Byrnes on Myanmar politics
Tax authority targets shisha levy evasion
The Federal Tax Authority will track shisha imports with electronic markers to protect customers and ensure levies have been paid.
Khalid Ali Al Bustani, director of the tax authority, on Sunday said the move is to "prevent tax evasion and support the authority’s tax collection efforts".
The scheme’s first phase, which came into effect on 1st January, 2019, covers all types of imported and domestically produced and distributed cigarettes. As of May 1, importing any type of cigarettes without the digital marks will be prohibited.
He said the latest phase will see imported and locally produced shisha tobacco tracked by the final quarter of this year.
"The FTA also maintains ongoing communication with concerned companies, to help them adapt their systems to meet our requirements and coordinate between all parties involved," he said.
As with cigarettes, shisha was hit with a 100 per cent tax in October 2017, though manufacturers and cafes absorbed some of the costs to prevent prices doubling.
SPIDER-MAN%3A%20ACROSS%20THE%20SPIDER-VERSE
%3Cp%3EDirectors%3A%20Joaquim%20Dos%20Santos%2C%20Kemp%20Powers%2C%20Justin%20K.%20Thompson%3Cbr%3EStars%3A%20Shameik%20Moore%2C%20Hailee%20Steinfeld%2C%20Oscar%20Isaac%3Cbr%3ERating%3A%204%2F5%3C%2Fp%3E%0A
Timeline
2012-2015
The company offers payments/bribes to win key contracts in the Middle East
May 2017
The UK SFO officially opens investigation into Petrofac’s use of agents, corruption, and potential bribery to secure contracts
September 2021
Petrofac pleads guilty to seven counts of failing to prevent bribery under the UK Bribery Act
October 2021
Court fines Petrofac £77 million for bribery. Former executive receives a two-year suspended sentence
December 2024
Petrofac enters into comprehensive restructuring to strengthen the financial position of the group
May 2025
The High Court of England and Wales approves the company’s restructuring plan
July 2025
The Court of Appeal issues a judgment challenging parts of the restructuring plan
August 2025
Petrofac issues a business update to execute the restructuring and confirms it will appeal the Court of Appeal decision
October 2025
Petrofac loses a major TenneT offshore wind contract worth €13 billion. Holding company files for administration in the UK. Petrofac delisted from the London Stock Exchange
November 2025
180 Petrofac employees laid off in the UAE
