Saudi Aramco Confirms Scope of Malware Attack

Officials at oil giant Saudi Aramco have confirmed that about 30,000 of the company’s workstations were hit by a malware attack on August 15, a number that lines up with claims made in posts on Pastebin by a group taking credit for the attack. The company said that while tens of thousands of machines were infected, its core oil production capabilities were not affected by the attack.

Officials at oil giant Saudi Aramco have confirmed that about 30,000 of the company’s workstations were hit by a malware attack on August 15, a number that lines up with claims made in posts on Pastebin by a group taking credit for the attack. The company said that while tens of thousands of machines were infected, its core oil production capabilities were not affected by the attack.

Shortly after the attack on Aramco, a group calling itself the Cutting Sword of Justice posted a message on Pastebin taking credit for the operation and saying that it had sent “a malicious virus to destroy thirty thousand computers networked in this company”. Aramco subsequently issued a statement saying that it had been the victim of an attack, but did not say what or how many systems were hit. The company ended up taking its main Web site offline for several days, as well.

Now, the company says that the attack went as the attackers have claimed, at least as far as the volume of infected machines is concerned.

“Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted,” the company said in its statement

The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.”

Security researchers have said that the Shamoon malware, which emerged in the days right after the attack on Aramco may have been the tool used in the operation. Shamoon has the ability to completely destroy data found on infected machines and also will overwrite the master boot record of the PC. Researchers found a time and date hardcoded into Shamoon that is the same as the time that the attackers claiming responsibility for the Aramco attack said that the attack began. Shamoon uses some Internet-connected machines on a compromised network as proxy servers to collect data stolen from other infected PCs on the local network and then sends the data back to external command-and-control servers.

Aviv Raff, CTO of Seculert, who analyzed samples of Shamoon, said that the proxy server he saw being used is not one of the compromised machines included in a list posted last on week on Pastebin.

“This might mean that those samples are part of an attack on a different entity. Or, this is indeed part of the attack against Aramco, but the attackers decided not to share this IP address in the pastes, considering the detail in the pastes is true, of course.”

The link is not conclusive and Aramco officials have not said whether data on their infected machines was destroyed, just that a virus outbreak hit the company.

“We addressed the threat immediately, and our precautionary procedures, which have been in place to counter such threats, and our multiple protective systems, have helped to mitigate these deplorable cyber threats from spiraling,” Khalid A. Al-Falih, president and CEO of Saudi Aramco, said in a statement.

“We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever. There is no doubt whatsoever about Saudi Aramco meeting its commitments to its customers worldwide.”

Also on Monday, another Pastebin post appeared that contained what the poster claimed was Al-Falih’s corporate email address and password. The post also included a list of some of the routers on the company’s internal network and their remote-access passwords. 

Suggested articles

Discussion

  • Anonymous on

    Any word on the claimed August 25 attack?

  • Anonymous on

    After looking at the system name list and applying my understanding of ICS, there is a slim chance that the production systems were touched. If we would have seen Windows Server 2000 or XP in this list with some different computer names, than I could imagine that production was affected.

    There is no way...the hackers are not that smart and talented to break into the production networks. What happened here is almost like defacing Aramco's web page.

     

    Michael

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.