12:06 PM

Saudi Aramco Restores Network After Shamoon Malware Attack

Hacktivist-launched virus takes out 75% of state-owned oil company's workstations, signals the growing power of attackers with social or political agendas.

Saudi Aramco announced Sunday that it had restored full network access to PCs after a malware attack, launched on Aug. 15, infected approximately 30,000 of the organization's workstations. The company said it had proactively disabled network access for all infected PCs, as well as any remote access to the company's networks, until Saturday, when it completed related clean-up efforts.

A self-described activist group, Cutting Sword of Justice, claimed credit for the attack against Saudi Aramco--the state-owned national oil company of Saudi Arabia, as well as the world's largest exporter of crude oil--before it was launched. Security experts have dubbed the malware used in the attack "Shamoon," and said that it can exfiltrate data from infected systems and erase their hard drives.

According to Khalid A. Al-Falih, president and CEO of Saudi Aramco, the company reacted quickly once it spotted the infection. "We addressed the threat immediately, and our precautionary procedures--which have been in place to counter such threats--and our multiple protective systems have helped to mitigate these deplorable cyber threats from spiraling," he said in a statement.

Despite the malware attack having successfully infected 75% of the company's workstations, Al-Falih insisted that the company's exploration, producing, exports, sales, distribution, and financial and human resources systems, including related databases and industrial control systems, hadn't been breached, which he said was due to their having been placed on isolated networks.

But at least one of the company's websites, had been taken offline after the attack--remained offline Monday.

Saudi Aramco has promised to further beef up its security--which is wise, given that a single virus was able to infect so many of its PCs. "We will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack," said Al-Falih.

If Cutting Sword of Justice really is a band of hacktivists--as opposed to an operation sponsored by a country that has a poor relationship with Saudi Arabia, such as Israel--then the Shamoon malware represents a first on the hacktivism front, given that groups such as Anonymous and LulzSec have typically targeted known Web application vulnerabilities or used distributed-denial-of-service (DDoS) attacks. "This is the first significant use of malware in a hacktivist attack," said Imperva's Rob Rachwald, director of security strategy, and Barry Shteiman, a principal security engineer, in a blog post. "In the past ... most hacktivist attacks were primarily application or DDoS attacks."

In addition, the attack highlights how nation states aren't necessarily behind all critical infrastructure or other types of advanced attacks. "In the last couple of years, it became very popular to single out the Chinese, U.S., and Israeli governments for cyber-warfare ... [but] this time it was hacktivists working for a political and social cause," said Rachwald and Shteiman. "A group of hobbyists and hacktivists with several very strong minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish. Does this mean that the power of the hacktivism has become so strong that it can compete with government cyber warfare organizations?"

Cybercriminals are taking aim at your website. Is your security strategy up to the challenge? Also in the new, all-digital 10 Steps To E-Commerce Security special issue of Dark Reading: About half of the traffic to e-commerce sites is machine generated--and much of it is malicious. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio