Attacks/Breaches
8/27/2012
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Saudi Aramco Restores Network After Shamoon Malware Attack

Hacktivist-launched virus takes out 75% of state-owned oil company's workstations, signals the growing power of attackers with social or political agendas.

Saudi Aramco announced Sunday that it had restored full network access to PCs after a malware attack, launched on Aug. 15, infected approximately 30,000 of the organization's workstations. The company said it had proactively disabled network access for all infected PCs, as well as any remote access to the company's networks, until Saturday, when it completed related clean-up efforts.

A self-described activist group, Cutting Sword of Justice, claimed credit for the attack against Saudi Aramco--the state-owned national oil company of Saudi Arabia, as well as the world's largest exporter of crude oil--before it was launched. Security experts have dubbed the malware used in the attack "Shamoon," and said that it can exfiltrate data from infected systems and erase their hard drives.

According to Khalid A. Al-Falih, president and CEO of Saudi Aramco, the company reacted quickly once it spotted the infection. "We addressed the threat immediately, and our precautionary procedures--which have been in place to counter such threats--and our multiple protective systems have helped to mitigate these deplorable cyber threats from spiraling," he said in a statement.

Despite the malware attack having successfully infected 75% of the company's workstations, Al-Falih insisted that the company's exploration, producing, exports, sales, distribution, and financial and human resources systems, including related databases and industrial control systems, hadn't been breached, which he said was due to their having been placed on isolated networks.

But at least one of the company's websites, www.aramco.com--which had been taken offline after the attack--remained offline Monday.

Saudi Aramco has promised to further beef up its security--which is wise, given that a single virus was able to infect so many of its PCs. "We will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack," said Al-Falih.

If Cutting Sword of Justice really is a band of hacktivists--as opposed to an operation sponsored by a country that has a poor relationship with Saudi Arabia, such as Israel--then the Shamoon malware represents a first on the hacktivism front, given that groups such as Anonymous and LulzSec have typically targeted known Web application vulnerabilities or used distributed-denial-of-service (DDoS) attacks. "This is the first significant use of malware in a hacktivist attack," said Imperva's Rob Rachwald, director of security strategy, and Barry Shteiman, a principal security engineer, in a blog post. "In the past ... most hacktivist attacks were primarily application or DDoS attacks."

In addition, the attack highlights how nation states aren't necessarily behind all critical infrastructure or other types of advanced attacks. "In the last couple of years, it became very popular to single out the Chinese, U.S., and Israeli governments for cyber-warfare ... [but] this time it was hacktivists working for a political and social cause," said Rachwald and Shteiman. "A group of hobbyists and hacktivists with several very strong minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish. Does this mean that the power of the hacktivism has become so strong that it can compete with government cyber warfare organizations?"

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio