Feeds

Hack on Saudi Aramco hit 30,000 workstations, oil firm admits

First hacktivist-style assault to use malware?

The Power of One eBook: Top reasons to choose HP BladeSystem

Analysis Saudi Aramco said that it had put its network back online on Saturday, 10 days after a malware attack floored 30,000 workstations at the oil giant.

In a statement, Saudi Arabia's national oil firm said that it had "restored all its main internal network services" hit by a malware outbreak that struck on 15 August. The firm said its core business of oil production and exploration was not affected by the attack, which resulted in a decision to suspend Saudi Aramco's website for a period of a few days, presumably as a precaution. Corporate remote access services were also suspended as a result of the attack.

Oil and production systems were run off "isolated network systems unaffected by the attack, which the firm has pledged to investigate. In the meantime, Saudi Aramco promised to improve the security of its network to guard against fresh assaults.

Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted. Saudi Aramco employees returned to work August 25, 2012, following the Eid holidays, resuming normal business.

The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.

A previously unknown group called Cutting Sword of Justice claimed responsibility for the attack, which affected three in four of the estimated 40,000 workstations used by the oil giant. The group said that it had hacked Saudi Aramco in retaliation against the Al-Saud regime for the "crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon [and] Egypt".

The group said it hacked Aramco after compromising systems in "several countries" before implanting malware to "destroy 30,000 computers" within Aramco's network. The infected machines claim was made days before Saudi Aramco confirmed the same number of machines had been hit, lending credibility to the hacker group's claims.

Neither victim nor perpetrator named the malware that featured in the attack but security researchers implicated the Shamoon malware in the security breach (analysis by Seculert here). Shamoon, which emerged days before the assault, has both the capability to over-write data on infected machines and to destroy Master Boot Record files, thus making infected Windows machines impossible to boot.

Over-written files were reportedly replaced by an image of a burning US flag.

According to researchers, the malware also has the capacity to extract information from compromised before uploading it to the internet.

Core router names and admin passwords along with email address and supposed password of Saudi Aramco chief exec, Khalid A Al-Falih, were uploaded to Pastebin on Monday. The latest leak may be a result of the threatened follow-up attack, due to take place last weekend, rather than the fruits of the original malware-fuelled assault.

Rob Rachwald, director of security strategy at Imperva, described that Saudi Aramco attack as the first hacktivist-style assault to use malware.

"In the past, hacktivists have typically used application or distributed denial of service (DDoS) attacks - in which they clog a website with traffic until it goes offline. However, the attack on Saudi Aramco is the first significant use of malware in a hacktivist attack. Hacktivists rarely use malware, if other hacktivists jump on this trend it could become very dangerous," he said.

A blog post by Imperva on the attack can be found here.

Similar data-wiping malware disrupted systems at Iranian oil exploration facilities in May in an attack that led researchers at Kaspersky Lab to the discovery of the Flame cyber-espionage tool. US gas prospecting firms have been hit by previous attacks, most of which are suspected to have been state-sponsored.

It seems wise to view claims that the Saudi Aramco assault was a case of politically motivated hacktivism with some skepticism, at least until a clearer picture of the previously unknown Cutting Sword of Justice group emerges. It could be the group is solely motivated at hitting back at Saudi's ruling royal family for the country's support in putting down Arab Spring-style revolts in other nations, such as Bahrain, but other motives are also possible.

More commentary on the information security aspects of the attack can be found in a post on Sophos' Naked Security blog here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.