Attacks/Breaches
8/27/2012
12:06 PM
Connect Directly
RSS
E-Mail
50%
50%

Saudi Aramco Restores Network After Shamoon Malware Attack

Hacktivist-launched virus takes out 75% of state-owned oil company's workstations, signals the growing power of attackers with social or political agendas.

Saudi Aramco announced Sunday that it had restored full network access to PCs after a malware attack, launched on Aug. 15, infected approximately 30,000 of the organization's workstations. The company said it had proactively disabled network access for all infected PCs, as well as any remote access to the company's networks, until Saturday, when it completed related clean-up efforts.

A self-described activist group, Cutting Sword of Justice, claimed credit for the attack against Saudi Aramco--the state-owned national oil company of Saudi Arabia, as well as the world's largest exporter of crude oil--before it was launched. Security experts have dubbed the malware used in the attack "Shamoon," and said that it can exfiltrate data from infected systems and erase their hard drives.

According to Khalid A. Al-Falih, president and CEO of Saudi Aramco, the company reacted quickly once it spotted the infection. "We addressed the threat immediately, and our precautionary procedures--which have been in place to counter such threats--and our multiple protective systems have helped to mitigate these deplorable cyber threats from spiraling," he said in a statement.

Despite the malware attack having successfully infected 75% of the company's workstations, Al-Falih insisted that the company's exploration, producing, exports, sales, distribution, and financial and human resources systems, including related databases and industrial control systems, hadn't been breached, which he said was due to their having been placed on isolated networks.

But at least one of the company's websites, www.aramco.com--which had been taken offline after the attack--remained offline Monday.

Saudi Aramco has promised to further beef up its security--which is wise, given that a single virus was able to infect so many of its PCs. "We will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack," said Al-Falih.

If Cutting Sword of Justice really is a band of hacktivists--as opposed to an operation sponsored by a country that has a poor relationship with Saudi Arabia, such as Israel--then the Shamoon malware represents a first on the hacktivism front, given that groups such as Anonymous and LulzSec have typically targeted known Web application vulnerabilities or used distributed-denial-of-service (DDoS) attacks. "This is the first significant use of malware in a hacktivist attack," said Imperva's Rob Rachwald, director of security strategy, and Barry Shteiman, a principal security engineer, in a blog post. "In the past ... most hacktivist attacks were primarily application or DDoS attacks."

In addition, the attack highlights how nation states aren't necessarily behind all critical infrastructure or other types of advanced attacks. "In the last couple of years, it became very popular to single out the Chinese, U.S., and Israeli governments for cyber-warfare ... [but] this time it was hacktivists working for a political and social cause," said Rachwald and Shteiman. "A group of hobbyists and hacktivists with several very strong minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish. Does this mean that the power of the hacktivism has become so strong that it can compete with government cyber warfare organizations?"

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2970
Published: 2014-07-31
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-5139. Reason: This candidate is a duplicate of CVE-2014-5139, and has also been used to refer to an unrelated topic that is currently outside the scope of CVE. This unrelated topic is a LibreSSL code change adding functionality ...

CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

Best of the Web
Dark Reading Radio