Oil giant Saudi Aramco back online after 30,000 workstations hit by malware

Filed Under: Data loss, Featured, Malware

Image from Aramco's Facebook pageAramco, Saudi Arabia's national oil company, said on Sunday that the company was back in operation ten days after a massive malware outbreak hobbled 30,000 workstations at the company.

In a statement on the company's Facebook page (content alert: Facebook page contains images of extremely phallic architecture), Aramco said that it had "restored all its main internal network services" that were affected by a malware outbreak on August 15.

Statement from Aramco on Facebook

The attack was attributed to "external sources." It is just the latest against a national oil company, following reports of malware attacks on Iran's oil infrastructure linked to the "Flame" malware in May.

Aramco said employees returned to work on August 25 and resumed "normal business," though the company is blocking remote access to company resources as a precaution.

The exact source of the disruption at the Dhahran, Saudi Arabia oil producer isn't known, though circumstantial evidence points to a piece of malware dubbed Shamoon, which was first detected at around the same time the attack on Aramco began, on August 15.

Analysis of Shamoon by SophosLabs found that it is a targeted attack designed to steal data and disrupt operations on a specific network, though not the stealthiest or sophisticated targeted malware.

The malicious Trojan horse, which Sophos named Troj/MDrop-ELD, attempts to overwrite the master boot record on infected systems, which would make it impossible to boot the machine. It also replaces files on the hard drive on infected systems, replacing certain image and system file types with a broken JPG (JFIF) file -- an obnoxious, but mostly harmless prank.

Word of problems at Aramco surfaced shortly after the firm was hit, when the company acknowledged "a disruption" on its network caused by a malware infection and severed its connections to the internet. Aramco has claimed that the outbreak affected only user workstations and not the parts of its network that manage its "core business" - aka: extracting oil from the ground and refining it.

That statement coincided with a claim of responsibility for the attack from a previously unknown group calling itself the "Cutting Sword of Justice."

The group posted details of the hack on Pastebin, and said that Aramco was attacked in retaliation against the Al-Saud regime for the "crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon (and) Egypt."

Statement from Cutting Sword of Justice

The "anti-oppression hacker group" said it hacked Aramco using compromised systems in "several countries," then sent a malicious program to destroy 30,000 systems within Aramco's network.

Attribution in malware attacks is always tricky, though experts note that both the number of systems the group claims to have infected and the timing of the attack match up with subsequent statements from Aramco and forensic analysis of the malware. That lends some credence to the group's claims.

Iran flag in flames. Image courtesy of ShutterstockAttacks against private and public energy-producing firms are nothing new. In addition to the "Flame" malware attacks against Iran's oil refineries, the US Department of Homeland Security warned in May about ongoing cyber attacks aimed at firms operating natural gas pipelines within the United States.

Energy firms have also been the target of sophisticated attacks designed to steal valuable information on oil deposits.

However, the Shamoon attack raises the specter of something new: politically motivated hacktivism targeted against politically powerful energy firms and state energy monopolies like Aramco.

In its Pastebin manifesto, Cutting Sword of Justice said its attack on Aramco was "a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression." The group invited other "anti-tyranny hacker groups" to join the movement.

No word yet on whether Cutting Sword has any takers, but we'll keep our eyes opened for similar attacks in the days and months ahead.

, , , , , , , , , , , ,

You might like

13 Responses to Oil giant Saudi Aramco back online after 30,000 workstations hit by malware

  1. wzrd1 · 752 days ago

    Interestingly enough, now RasGas in Qatar, a known moderate nation in the Persian Gulf has been attacked by the same malware.
    Qatar is noteworthy for permitting Christian churches to be built in the nation, a liquor and pork distribution system for westerners and western attire being the normal dress in the country. It's also an R&R location for US forces in the region.

    • Roth Oil Tanks · 693 days ago

      Do you think this malware attack has something to do with a sabotage plan? since you had mentioned that a Persian Gulf is also attacked with a same malware.

  2. Aaron Hysell · 734 days ago

    This is the reason gas prices are so freakin high!

  3. Andrew Dunreath-Cooper · 734 days ago

    Only if breaking and entering is acceptable.

  4. Mary Lynn Noonan-Toschi · 734 days ago

    massive protesting hacking such as this could have unintended consequences such as compromising computers designed for people with special needs.

  5. Bruce Kahler · 734 days ago

    Funniest thing about the article is need for a disclaimer: (content alert: Facebook page contains images of extremely phallic architecture),

  6. Gina Senecal · 734 days ago

    F*ck NO

  7. Dick G Thorén · 734 days ago

    Strange that some dictators like Khadaffi must be overthrown while other dictators are still free to oppress their people. If there was democracy in Saudi, then this thing wouldn't have happened. That doesn't mean that I agree with the hacking, but I rather choose that instead of setting of bombs to get rid of the tyrants. They have no problem instead with killing civilians.

  8. Rick Chartrand · 734 days ago

    So what next hacking groups? Will it be acceptable to kill innocents by say hacking medical computers? Destruction of private property whether it be in a regime that is evil or any other is still destruction, Sword of justice? All I see there is cowards that hide. Anonymous hides behind a veiled voice and mask, Sword of justice, you want to look intelligent? LEARN TO SPELL! My god! If english isn't your native language then simply don't bother. In my eyes you are just as cowardly as the governemtn you purport to opress. You put innocent people out of work with your efforts, Whoopy! Good going!

  9. John-Michael Van de Walker · 734 days ago

    No but that won't stop them. It's not about hacktivism though or they wouldn't claim credit

  10. Tony Cluley · 734 days ago

    Absolutely, but in the same sense that eventually there is a right time for violent protest. Even Mandela believed violent protest has a valid use when peaceful means have gone unheeded or become ineffective. Sometimes the only only way to respond to violence is with violence. This said, the decision to use active forms of protest must be taken seriously, as the consequences can be severe.

  11. Eric Horvath · 734 days ago

    Aaron Hysell: "This is the reason gas prices are so freakin high!"

    No sir it is not, the reason it's so high is because of greed .

  12. Tree Ethington · 734 days ago

    No. Never. The only way we can ever live in any sort of peaceful co existence in this crowded world of ours is rules and laws. Without respecting the same, everything would eventually dissolve into chaos and the walls of Rome would fall. Thus, those who chose to do so, will be punished by the society for the prevention of anarchy.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul is a Boston-based reporter and industry analyst with more than a decade of experience covering the IT industry, cyber security and hacking. His work has appeared on threatpost.com, The Boston Globe, salon.com, NPR's Marketplace, Fortune Small Business, as well as industry publications including ZDNet, Computerworld, InfoWorld, eWeek, CIO , CSO and ITWorld.com. Paul got his 15 minutes as an expert guest on The Oprah Show - but that's a long story.