Hack on Saudi Aramco hit 30,000 workstations, oil firm admits
First hacktivist-style assault to use malware?
Analysis Saudi Aramco said that it had put its network back online on Saturday, 10 days after a malware attack floored 30,000 workstations at the oil giant.
In a statement, Saudi Arabia's national oil firm said that it had "restored all its main internal network services" hit by a malware outbreak that struck on 15 August. The firm said its core business of oil production and exploration was not affected by the attack, which resulted in a decision to suspend Saudi Aramco's website for a period of a few days, presumably as a precaution. Corporate remote access services were also suspended as a result of the attack.
Oil and production systems were run off "isolated network systems unaffected by the attack, which the firm has pledged to investigate. In the meantime, Saudi Aramco promised to improve the security of its network to guard against fresh assaults.
Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted. Saudi Aramco employees returned to work August 25, 2012, following the Eid holidays, resuming normal business.
The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.
A previously unknown group called Cutting Sword of Justice claimed responsibility for the attack, which affected three in four of the estimated 40,000 workstations used by the oil giant. The group said that it had hacked Saudi Aramco in retaliation against the Al-Saud regime for the "crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon [and] Egypt".
The group said it hacked Aramco after compromising systems in "several countries" before implanting malware to "destroy 30,000 computers" within Aramco's network. The infected machines claim was made days before Saudi Aramco confirmed the same number of machines had been hit, lending credibility to the hacker group's claims.
Neither victim nor perpetrator named the malware that featured in the attack but security researchers implicated the Shamoon malware in the security breach (analysis by Seculert here). Shamoon, which emerged days before the assault, has both the capability to over-write data on infected machines and to destroy Master Boot Record files, thus making infected Windows machines impossible to boot.
Over-written files were reportedly replaced by an image of a burning US flag.
According to researchers, the malware also has the capacity to extract information from compromised before uploading it to the internet.
Core router names and admin passwords along with email address and supposed password of Saudi Aramco chief exec, Khalid A Al-Falih, were uploaded to Pastebin on Monday. The latest leak may be a result of the threatened follow-up attack, due to take place last weekend, rather than the fruits of the original malware-fuelled assault.
Rob Rachwald, director of security strategy at Imperva, described that Saudi Aramco attack as the first hacktivist-style assault to use malware.
"In the past, hacktivists have typically used application or distributed denial of service (DDoS) attacks - in which they clog a website with traffic until it goes offline. However, the attack on Saudi Aramco is the first significant use of malware in a hacktivist attack. Hacktivists rarely use malware, if other hacktivists jump on this trend it could become very dangerous," he said.
A blog post by Imperva on the attack can be found here.
Similar data-wiping malware disrupted systems at Iranian oil exploration facilities in May in an attack that led researchers at Kaspersky Lab to the discovery of the Flame cyber-espionage tool. US gas prospecting firms have been hit by previous attacks, most of which are suspected to have been state-sponsored.
It seems wise to view claims that the Saudi Aramco assault was a case of politically motivated hacktivism with some skepticism, at least until a clearer picture of the previously unknown Cutting Sword of Justice group emerges. It could be the group is solely motivated at hitting back at Saudi's ruling royal family for the country's support in putting down Arab Spring-style revolts in other nations, such as Bahrain, but other motives are also possible.
More commentary on the information security aspects of the attack can be found in a post on Sophos' Naked Security blog here. ®