Aramco Threatened With New Attack

Attackers are threatening to launch a second assault on Saudi Aramco on Saturday in order to prove its abilities and the fact that it’s not relying on help from an Aramco insider. The first attack on the oil company occurred last week and resulted in the company taking its Web sites offline, saying that it had been hit by a malware infection on some of its workstations.

AramcoAttackers are threatening to launch a second assault on Saudi Aramco on Saturday in order to prove its abilities and the fact that it’s not relying on help from an Aramco insider. The first attack on the oil company occurred last week and resulted in the company taking its Web sites offline, saying that it had been hit by a malware infection on some of its workstations.

The warning of the upcoming attack was posted on Pastebin Thursday, saying that the attack is the result of the “arrogance” and “brutality” of Aramco, a massive oil producer in Saudi Arabia.

“What we’re going to do to prove our ability to do more? well, we don’t really need or even feel like proving anything to anyone and show them that we can, but here is a headline story: we are going to make it, next week, once again, and you will not be able by 1% to stop us,” the group said in its post.

The original attack on Aramco began on August 15 and while the details are murky, the company’s Web sites have been offline for more than a week. Aramco officials said that the attack affected a few of the company’s workstations and that no critical systems were hit. However, the group that claimed responsibility for the attack, which included a malware infection as well as a subsequent DDoS attack on the Web sites, claimed to have destroyed data on thousands of machines.

“As previously said by hackers, about 30000 (30k) of clients and servers in the company were completely destroyed. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job. Hackers published the range of internal clients IPs which were found in the internal network and became one of the phases of the attack target,” the group said in a post on Pastebin shortly after the attack.

Whether the person or people posting the claims on Pastebin are the same as the first group who claimed responsibility for the attack on Aramco last week isn’t clear. The original post was signed by a group calling itself the Cutting Sword of Justice, but the subsequent ones have not been signed. 

It’s not known exactly how the attack occurred, but researchers say there are strong indications that the Shamoon malware discovered late last week was used in the operation. Shamoon has the ability to steal data from infected PCs and then essentially render the machine inoperable by overwriting the master boot record. The latest post on Pastebin included a line at the top that read in part “/shn/amoo”, an anagram for Shamoon.

The group says that Aramco is being targeted for good reason.

“That’s will happen for two reason:

  1. 1- you’re brutal and selfish to harm any employee just for the sake of expecting.
  2. 2- we do hate, hate a lot, arrogance. 
  3. Be prepared for something you will see in your eyes and you will not be able to stop it,” the post says.
    Shamoon uses an unusual system for exfiltrating data from infected networks. Some of the machines that researchers identified as having Shamoon infections on them likely were not connected directly to the Internet. So in order to remove stolen data from those PCs, the malware connects to a proxy server on the internal network that’s controlled by the attacker. That machine collects all of the data and then sends it to the external command-and-control server.
    This article was update on August 23 to add context on Shamoon and the attackers.
     

Suggested articles

Discussion

  • Anonymous on

    What if they take out SCADA systems running oil pipelines or something?

  • H4zzmatt on

    30K? Where is the source for this claim? Why is everyone repeating it as fact? I see no verifable source. If I say I erased 30K machines are you just going to take my word for it? Shame on you Dennis Fisher. And shame on McAffee, Symantec et al for repeating this in thier 'detailed analysis'

    There is actually no proof that 'Cutting Sword of Justice' was behind the first attack which if you ask me is just a random malware infection. There really doesn;t sem to be anything all that targeted about it, just some loud mouths claiming responsibility with no proof they actualy did anything.

    I expect better from ThreatPost WTF?

    - H4zzmatt

     

  • Anonymous on

    Sounds like somebody is sad about losing thier union job and needs a hug.  You work for a Middle Eastern oil company...pretty sure they don't use Google Corporate Culture as a template for how to treat their employees.  Hacking has become so childish and automated.   ZZZzzzzzzz. 30k boxes infected is laughable.  The shamoon proxy(ies) would generate so much unusual traffic that it(they) would be simple to locate and isolate if true.  Dont misunderstand me, Im sorry you got fired and your boss is a jackass but welcome to Corporate Earth with the rest of us.

  • Anon on

    <p>and we're done: pastebin.com/AtN7dLeW</p><p>Hope you enjoy!</p><p>#SH</p>

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.