Attacks/Breaches
8/27/2012
12:06 PM
50%
50%

Saudi Aramco Restores Network After Shamoon Malware Attack

Hacktivist-launched virus takes out 75% of state-owned oil company's workstations, signals the growing power of attackers with social or political agendas.

Saudi Aramco announced Sunday that it had restored full network access to PCs after a malware attack, launched on Aug. 15, infected approximately 30,000 of the organization's workstations. The company said it had proactively disabled network access for all infected PCs, as well as any remote access to the company's networks, until Saturday, when it completed related clean-up efforts.

A self-described activist group, Cutting Sword of Justice, claimed credit for the attack against Saudi Aramco--the state-owned national oil company of Saudi Arabia, as well as the world's largest exporter of crude oil--before it was launched. Security experts have dubbed the malware used in the attack "Shamoon," and said that it can exfiltrate data from infected systems and erase their hard drives.

According to Khalid A. Al-Falih, president and CEO of Saudi Aramco, the company reacted quickly once it spotted the infection. "We addressed the threat immediately, and our precautionary procedures--which have been in place to counter such threats--and our multiple protective systems have helped to mitigate these deplorable cyber threats from spiraling," he said in a statement.

Despite the malware attack having successfully infected 75% of the company's workstations, Al-Falih insisted that the company's exploration, producing, exports, sales, distribution, and financial and human resources systems, including related databases and industrial control systems, hadn't been breached, which he said was due to their having been placed on isolated networks.

But at least one of the company's websites, www.aramco.com--which had been taken offline after the attack--remained offline Monday.

Saudi Aramco has promised to further beef up its security--which is wise, given that a single virus was able to infect so many of its PCs. "We will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack," said Al-Falih.

If Cutting Sword of Justice really is a band of hacktivists--as opposed to an operation sponsored by a country that has a poor relationship with Saudi Arabia, such as Israel--then the Shamoon malware represents a first on the hacktivism front, given that groups such as Anonymous and LulzSec have typically targeted known Web application vulnerabilities or used distributed-denial-of-service (DDoS) attacks. "This is the first significant use of malware in a hacktivist attack," said Imperva's Rob Rachwald, director of security strategy, and Barry Shteiman, a principal security engineer, in a blog post. "In the past ... most hacktivist attacks were primarily application or DDoS attacks."

In addition, the attack highlights how nation states aren't necessarily behind all critical infrastructure or other types of advanced attacks. "In the last couple of years, it became very popular to single out the Chinese, U.S., and Israeli governments for cyber-warfare ... [but] this time it was hacktivists working for a political and social cause," said Rachwald and Shteiman. "A group of hobbyists and hacktivists with several very strong minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish. Does this mean that the power of the hacktivism has become so strong that it can compete with government cyber warfare organizations?"

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.