Saudi Aramco Says Networks Back Online, But No Results From Malware Investigation Yet

Saudi Aramco says that the virus attack that compromised tens of thousands of the company’s workstations last month never endangered the company’s oil production capabilities and that all of the affected systems have been brought back online and restored. The attack on Aramco has been linked by researchers to the Shamoon malware, but company officials did not comment on the nature or provenance of the malware.

Saudi Aramco says that the virus attack that compromised tens of thousands of the company’s workstations last month never endangered the company’s oil production capabilities and that all of the affected systems have been brought back online and restored. The attack on Aramco has been linked by researchers to the Shamoon malware, but company officials did not comment on the nature or provenance of the malware.

The attack hit Aramco, one of the larger oil producers in the world, on August 15 and the company soon took its main Web sites offline as it investigated the extent and nature of the compromise. A group of attackers calling itself the Cutting Sword of Justice took credit for the attack through a post on Pastebin, saying that the operation had destroyed data on 30,000 machines, including both workstations and servers. The company originally did not comment on the extent of the damage to its network, simply saying that it had suffered an attack and was in the process of cleaning it up.

Later, however, Aramco officials acknowledged that the malware infestation had damaged about 30,000 computers, but emphasized that none of its oil-production facilities were affected and that its oil output would not be diminished as a result of the attack. On Monday, company officials said that security staffers had restored all of the infected machines and that its operations were back to normal.

“As a follow-up to Saudi Aramco’s previous statements on the computer virus that affected a number of the personal workstations of the company, the company would like to announce that its electronic network is functioning normally following a complete and thorough scanning. The company has also reinforced its network security systems and further enhanced security related technologies of the network,” the company said in a statement emailed to reporters. 

“The virus, which only affected personal workstations in the company, had no significant impact on the company’s administrative operations or the productivity of its employees. This was achieved through restoring the affected workstations in a fast and effective manner and in time for employees returning to work after the ‘Id holiday. Internal email services were also restored in a timely manner by the company’s experts.”

Aramco officials also disputed recent published reports that the investigation into the attack was over.

We also want to state that the investigation of this incident is still ongoing and that we noticed some news reports regarding the findings of the investigation. We want to emphasize that these reports are not based on real facts,” the statement said.

Although Aramco officials have not discussed the nature of the malware that infected the company’s networks or what damage it did, researchers who have followed the incident and have analyzed the Shamoon malware, which was discovered around the same time as the Aramco attack, say there is strong evidence that Shamoon may have been the tool used in the attack. There is a time hard-coded into the Shamoon malware that matches the time that the attack on Aramco began, and the attackers who took credit for the operation claimed that they were able to destroy data on the compromised machines, something that Shamoon has the ability to do.

Suggested articles

Discussion

  • Ken on

    They could possibly have saved a lot of time, trouble and money had they used new technology that's available. It provides another very strong barrier against these sort of attacks and does not cost the earth.

     

     

  • Anonymous on

    Ken, could you be any more vague? thanks for, well, nothing.

  • Anonymous on

    I know from experience (working for a large gas producer in Qatar) most companies don't follow security standards. It's not a matter of employing technologies. They just follow this mentality "Security matters only after an attack".

    I have suggested several times that our company enhance the secuirty plan, security training for the employees, backup policy. Unfortunately they thought that current procedure is good as long as everything is working.

    3 months before I left, they got hit by Sality, even abroad offices were hit. It was only then they made a deal with F-Secure and they installed a centrally managed version.

  • Ken on

     

    Yes Abatis HDF was my reference, I was refraining from advertising.

     

    As it's mentioned I will go on, Abatis gives you another very important step in your arsenal against attack and a very good one, test it for yourself and see.

    Yes I agree companies are failing to secure,  I believe part of this is from the financial side they don’t see it as a major problem and are not clear on the financial impact it could have until they get hit and partly because it’s not the board members ending up in the dock for failing to take adequate precautions and also in the case of resources or infrastructure the safety aspect.

     

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.