Feeds

Hack on Saudi Aramco hit 30,000 workstations, oil firm admits

First hacktivist-style assault to use malware?

Internet Security Threat Report 2014

Analysis Saudi Aramco said that it had put its network back online on Saturday, 10 days after a malware attack floored 30,000 workstations at the oil giant.

In a statement, Saudi Arabia's national oil firm said that it had "restored all its main internal network services" hit by a malware outbreak that struck on 15 August. The firm said its core business of oil production and exploration was not affected by the attack, which resulted in a decision to suspend Saudi Aramco's website for a period of a few days, presumably as a precaution. Corporate remote access services were also suspended as a result of the attack.

Oil and production systems were run off "isolated network systems unaffected by the attack, which the firm has pledged to investigate. In the meantime, Saudi Aramco promised to improve the security of its network to guard against fresh assaults.

Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted. Saudi Aramco employees returned to work August 25, 2012, following the Eid holidays, resuming normal business.

The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.

A previously unknown group called Cutting Sword of Justice claimed responsibility for the attack, which affected three in four of the estimated 40,000 workstations used by the oil giant. The group said that it had hacked Saudi Aramco in retaliation against the Al-Saud regime for the "crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon [and] Egypt".

The group said it hacked Aramco after compromising systems in "several countries" before implanting malware to "destroy 30,000 computers" within Aramco's network. The infected machines claim was made days before Saudi Aramco confirmed the same number of machines had been hit, lending credibility to the hacker group's claims.

Neither victim nor perpetrator named the malware that featured in the attack but security researchers implicated the Shamoon malware in the security breach (analysis by Seculert here). Shamoon, which emerged days before the assault, has both the capability to over-write data on infected machines and to destroy Master Boot Record files, thus making infected Windows machines impossible to boot.

Over-written files were reportedly replaced by an image of a burning US flag.

According to researchers, the malware also has the capacity to extract information from compromised before uploading it to the internet.

Core router names and admin passwords along with email address and supposed password of Saudi Aramco chief exec, Khalid A Al-Falih, were uploaded to Pastebin on Monday. The latest leak may be a result of the threatened follow-up attack, due to take place last weekend, rather than the fruits of the original malware-fuelled assault.

Rob Rachwald, director of security strategy at Imperva, described that Saudi Aramco attack as the first hacktivist-style assault to use malware.

"In the past, hacktivists have typically used application or distributed denial of service (DDoS) attacks - in which they clog a website with traffic until it goes offline. However, the attack on Saudi Aramco is the first significant use of malware in a hacktivist attack. Hacktivists rarely use malware, if other hacktivists jump on this trend it could become very dangerous," he said.

A blog post by Imperva on the attack can be found here.

Similar data-wiping malware disrupted systems at Iranian oil exploration facilities in May in an attack that led researchers at Kaspersky Lab to the discovery of the Flame cyber-espionage tool. US gas prospecting firms have been hit by previous attacks, most of which are suspected to have been state-sponsored.

It seems wise to view claims that the Saudi Aramco assault was a case of politically motivated hacktivism with some skepticism, at least until a clearer picture of the previously unknown Cutting Sword of Justice group emerges. It could be the group is solely motivated at hitting back at Saudi's ruling royal family for the country's support in putting down Arab Spring-style revolts in other nations, such as Bahrain, but other motives are also possible.

More commentary on the information security aspects of the attack can be found in a post on Sophos' Naked Security blog here. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.