Inside The Aftermath Of The Saudi Aramco BreachFormer security advisor to the oil giant describes the days following the Armageddon-style cyberattack that wiped the hard drives of tens of thousands of computers.
BLACK HAT USA -- Las Vegas -- Three years ago, one of the largest companies in the world was rocked by a massive cyberattack. “Armageddon” was averted as the company swiftly mounted a recovery effort, the former security advisor told Black Hat USA attendees here Thursday.
“You can recover,” said Chris Kubecka, a consultant who was brought in to set up a security operation after the attack by Saudi Aramco, the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. Her job was to help secure all the satellite offices in Africa, Europe, and the Middle East.
Three years ago, malware partially wiped or totally destroyed the hard drives of 35,000 Aramco computers. Saudi Aramco employees first noticed something was wrong on Aug. 15, 2012, as files disappeared and computers started to fail. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, which lasted just a few hours, citing the company's support of Saudi Arabia's royal family.
The IT staff immediately disconnected all the systems and the data centers to stop the malware, which researchers since then have named Distrack -- aka Shamoon -- from travelling through the network. Every office was physically unplugged from the Internet, taking the company offline and isolating it from the rest of the world.
Imagine the modern office, and then turn everything off, Kubecka said. “No emails, no phones, nothing,” she said. While oil production—drilling and pumping—remained unaffected because those were automated, the rest of the business went old-school. Everything was on paper, whether it was managing supplies, tracking shipment, or handling contracts with partners and governments. Employees used typewriters and fax machines. The IT staff had to figure out where to go to buy the fax machines, she said.
The IT shutdown meant all the payment systems were affected. There were miles of gasoline tank trucks that needed refills, but could not get paid, Kubecka said. Most people may never have heard of Saudi Aramco, which supplies 9.4 million barrels of oil a day, but with this attack, 10 percent of the world's supply was at risk, she said.
The irony of it all was that Saudi Aramco had invested heavily in securing the industrial control systems from cyberattacks, but the attackers crippled the company by targeting desktops, mail servers, and other Windows systems.
“IT got pwned,” Kubecka said.
Despite all the time and resources devoted to the investigation and forensics, some things remain a mystery. The two-pronged attack began during the Islamic holy month of Ramadan, which is a “great time to attack,” because half of IT and security teams take time off for religious observances, Kubecka said. The attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email, but investigators still do not know when the email was sent, Kubecka said.
As part of the recovery effort, the company assembled the best team staffed with international—Kubecka was living in the Netherlands at the time—and domestic experts to set up a new and secure network, expand the cybersecurity team, and build a security operations center in Saudi Arabia. Continuous monitoring gave the security team the most up-to-date understanding of the environment, making it possible for IT to become more proactive.
The cybersecurity team complemented the IT team. IT professionals have a different set of skills than security professionals, and a successful security program needs both, Kubecka said. The security professionals “need a tinge of evil” because they are grey hackers, the good guys who know how to think like the bad guys do.
It was a tremendously expensive recovery, considering Aramco had to build a security operations center from scratch and recruit its team. The last place a company should be cutting costs is when assembling the security team.
A smaller corporation could easily have been bankrupted trying to recover from this kind of an attack, Kubecka said.
If Kubecka could do things over, she would have emphasized collaboration more and gone in with a better understanding of the company's culture. Corporate culuture can affect how decisions are made and how employees work together. Humans can change, but culture awareness help pave the way.
“I should have gone in knowing more,” Kubecka said.
Aramco's annual revenues rival the economies of whole nations, and its sheer size was a unique advantage in its recovery. For example, the malware destroyed hard drives, which meant Aramco needed new hard drives, right away. It utilized its private fleet of airplanes to fly employees directly to factory floors in Southeast Asia and bought up every computer hard drive available. Aramco paid higher prices to get those 50,000 drives, temporarily driving up prices and halting shipments to other buyers around the world. Between September 2012 to January 2013, everyone who bought a computer or hard drive had to pay a “slightly higher price” because of Aramco, Kubecka said.
While the IT team could have just reused and rebuilt the wiped drives instead of buying up the world's supply, Aramco decided trying to recover data or figuring out what was usable would be too time-consuming, Kubecka said. Time was of essence, and buying all the hard drives was the fastest method, she said.
It took five months, but Saudi Aramco came back online. The most valuable company in the world was knowcked down temporarily, but it showed it could reover, Kubecka said. “It was a challenge,” Kubecka said.
Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio