Attackers are threatening to launch a second assault on Saudi Aramco on Saturday in order to prove its abilities and the fact that it’s not relying on help from an Aramco insider. The first attack on the oil company occurred last week and resulted in the company taking its Web sites offline, saying that it had been hit by a malware infection on some of its workstations.
The warning of the upcoming attack was posted on Pastebin Thursday, saying that the attack is the result of the “arrogance” and “brutality” of Aramco, a massive oil producer in Saudi Arabia.
“What we’re going to do to prove our ability to do more? well, we don’t really need or even feel like proving anything to anyone and show them that we can, but here is a headline story: we are going to make it, next week, once again, and you will not be able by 1% to stop us,” the group said in its post.
The original attack on Aramco began on August 15 and while the details are murky, the company’s Web sites have been offline for more than a week. Aramco officials said that the attack affected a few of the company’s workstations and that no critical systems were hit. However, the group that claimed responsibility for the attack, which included a malware infection as well as a subsequent DDoS attack on the Web sites, claimed to have destroyed data on thousands of machines.
“As previously said by hackers, about 30000 (30k) of clients and servers in the company were completely destroyed. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job. Hackers published the range of internal clients IPs which were found in the internal network and became one of the phases of the attack target,” the group said in a post on Pastebin shortly after the attack.
Whether the person or people posting the claims on Pastebin are the same as the first group who claimed responsibility for the attack on Aramco last week isn’t clear. The original post was signed by a group calling itself the Cutting Sword of Justice, but the subsequent ones have not been signed.
It’s not known exactly how the attack occurred, but researchers say there are strong indications that the Shamoon malware discovered late last week was used in the operation. Shamoon has the ability to steal data from infected PCs and then essentially render the machine inoperable by overwriting the master boot record. The latest post on Pastebin included a line at the top that read in part “/shn/amoo”, an anagram for Shamoon.
The group says that Aramco is being targeted for good reason.
“That’s will happen for two reason:
1- you’re brutal and selfish to harm any employee just for the sake of expecting.
2- we do hate, hate a lot, arrogance.
Be prepared for something you will see in your eyes and you will not be able to stop it,” the post says.Shamoon uses an unusual system for exfiltrating data from infected networks. Some of the machines that researchers identified as having Shamoon infections on them likely were not connected directly to the Internet. So in order to remove stolen data from those PCs, the malware connects to a proxy server on the internal network that’s controlled by the attacker. That machine collects all of the data and then sends it to the external command-and-control server.This article was update on August 23 to add context on Shamoon and the attackers.