Oil giant Saudi Aramco back online after 30,000 workstations hit by malware

Oil giant Saudi Aramco back online after 30,000 workstations hit by malware

Image from Aramco's Facebook pageAramco, Saudi Arabia’s national oil company, said on Sunday that the company was back in operation ten days after a massive malware outbreak hobbled 30,000 workstations at the company.

In a statement on the company’s Facebook page (content alert: Facebook page contains images of extremely phallic architecture), Aramco said that it had “restored all its main internal network services” that were affected by a malware outbreak on August 15.

Statement from Aramco on Facebook

The attack was attributed to “external sources.” It is just the latest against a national oil company, following reports of malware attacks on Iran’s oil infrastructure linked to the “Flame” malware in May.

Aramco said employees returned to work on August 25 and resumed “normal business,” though the company is blocking remote access to company resources as a precaution.

The exact source of the disruption at the Dhahran, Saudi Arabia oil producer isn’t known, though circumstantial evidence points to a piece of malware dubbed Shamoon, which was first detected at around the same time the attack on Aramco began, on August 15.

Analysis of Shamoon by SophosLabs found that it is a targeted attack designed to steal data and disrupt operations on a specific network, though not the stealthiest or sophisticated targeted malware.

The malicious Trojan horse, which Sophos named Troj/MDrop-ELD, attempts to overwrite the master boot record on infected systems, which would make it impossible to boot the machine. It also replaces files on the hard drive on infected systems, replacing certain image and system file types with a broken JPG (JFIF) file — an obnoxious, but mostly harmless prank.

Word of problems at Aramco surfaced shortly after the firm was hit, when the company acknowledged “a disruption” on its network caused by a malware infection and severed its connections to the internet. Aramco has claimed that the outbreak affected only user workstations and not the parts of its network that manage its “core business” – aka: extracting oil from the ground and refining it.

That statement coincided with a claim of responsibility for the attack from a previously unknown group calling itself the “Cutting Sword of Justice.”

The group posted details of the hack on Pastebin, and said that Aramco was attacked in retaliation against the Al-Saud regime for the “crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon (and) Egypt.”

Statement from Cutting Sword of Justice

The “anti-oppression hacker group” said it hacked Aramco using compromised systems in “several countries,” then sent a malicious program to destroy 30,000 systems within Aramco’s network.

Attribution in malware attacks is always tricky, though experts note that both the number of systems the group claims to have infected and the timing of the attack match up with subsequent statements from Aramco and forensic analysis of the malware. That lends some credence to the group’s claims.

Iran flag in flames. Image courtesy of ShutterstockAttacks against private and public energy-producing firms are nothing new. In addition to the “Flame” malware attacks against Iran’s oil refineries, the US Department of Homeland Security warned in May about ongoing cyber attacks aimed at firms operating natural gas pipelines within the United States.

Energy firms have also been the target of sophisticated attacks designed to steal valuable information on oil deposits.

However, the Shamoon attack raises the specter of something new: politically motivated hacktivism targeted against politically powerful energy firms and state energy monopolies like Aramco.

In its Pastebin manifesto, Cutting Sword of Justice said its attack on Aramco was “a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression.” The group invited other “anti-tyranny hacker groups” to join the movement.

No word yet on whether Cutting Sword has any takers, but we’ll keep our eyes opened for similar attacks in the days and months ahead.