Saudi Aramco says that the virus attack that compromised tens of thousands of the company’s workstations last month never endangered the company’s oil production capabilities and that all of the affected systems have been brought back online and restored. The attack on Aramco has been linked by researchers to the Shamoon malware, but company officials did not comment on the nature or provenance of the malware.
The attack hit Aramco, one of the larger oil producers in the world, on August 15 and the company soon took its main Web sites offline as it investigated the extent and nature of the compromise. A group of attackers calling itself the Cutting Sword of Justice took credit for the attack through a post on Pastebin, saying that the operation had destroyed data on 30,000 machines, including both workstations and servers. The company originally did not comment on the extent of the damage to its network, simply saying that it had suffered an attack and was in the process of cleaning it up.
Later, however, Aramco officials acknowledged that the malware infestation had damaged about 30,000 computers, but emphasized that none of its oil-production facilities were affected and that its oil output would not be diminished as a result of the attack. On Monday, company officials said that security staffers had restored all of the infected machines and that its operations were back to normal.
“As a follow-up to Saudi Aramco’s previous statements on the computer virus that affected a number of the personal workstations of the company, the company would like to announce that its electronic network is functioning normally following a complete and thorough scanning. The company has also reinforced its network security systems and further enhanced security related technologies of the network,” the company said in a statement emailed to reporters.
“The virus, which only affected personal workstations in the company, had no significant impact on the company’s administrative operations or the productivity of its employees. This was achieved through restoring the affected workstations in a fast and effective manner and in time for employees returning to work after the ‘Id holiday. Internal email services were also restored in a timely manner by the company’s experts.”
Aramco officials also disputed recent published reports that the investigation into the attack was over.
“We also want to state that the investigation of this incident is still ongoing and that we noticed some news reports regarding the findings of the investigation. We want to emphasize that these reports are not based on real facts,” the statement said.
Although Aramco officials have not discussed the nature of the malware that infected the company’s networks or what damage it did, researchers who have followed the incident and have analyzed the Shamoon malware, which was discovered around the same time as the Aramco attack, say there is strong evidence that Shamoon may have been the tool used in the attack. There is a time hard-coded into the Shamoon malware that matches the time that the attack on Aramco began, and the attackers who took credit for the operation claimed that they were able to destroy data on the compromised machines, something that Shamoon has the ability to do.