Attacks/Breaches

8/8/2015
03:30 PM
50%
50%

Inside The Aftermath Of The Saudi Aramco Breach

Former security advisor to the oil giant describes the days following the Armageddon-style cyberattack that wiped the hard drives of tens of thousands of computers.

BLACK HAT USA -- Las Vegas -- Three years ago, one of the largest companies in the world was rocked by a massive cyberattack. “Armageddon” was averted as the company swiftly mounted a recovery effort, the former security advisor told Black Hat USA attendees here Thursday.

“You can recover,” said Chris Kubecka, a consultant who was brought in to set up a security operation after the attack by Saudi Aramco, the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. Her job was to help secure all the satellite offices in Africa, Europe, and the Middle East.

Three years ago, malware partially wiped or totally destroyed the hard drives of 35,000 Aramco computers. Saudi Aramco employees first noticed something was wrong on Aug. 15, 2012, as files disappeared and computers started to fail. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, which lasted just a few hours, citing the company's support of Saudi Arabia's royal family.

The IT staff immediately disconnected all the systems and the data centers to stop the malware, which researchers since then have named Distrack -- aka Shamoon -- from travelling through the network. Every office was physically unplugged from the Internet, taking the company offline and isolating it from the rest of the world.

Imagine the modern office, and then turn everything off, Kubecka said. “No emails, no phones, nothing,” she said. While oil production—drilling and pumping—remained unaffected because those were automated, the rest of the business went old-school. Everything was on paper, whether it was managing supplies, tracking shipment, or handling contracts with partners and governments. Employees used typewriters and fax machines. The IT staff had to figure out where to go to buy the fax machines, she said.

The IT shutdown meant all the payment systems were affected. There were miles of gasoline tank trucks that needed refills, but could not get paid, Kubecka said. Most people may never have heard of Saudi Aramco, which supplies 9.4 million barrels of oil a day, but with this attack, 10 percent of the world's supply was at risk, she said.

The irony of it all was that Saudi Aramco had invested heavily in securing the industrial control systems from cyberattacks, but the attackers crippled the company by targeting desktops, mail servers, and other Windows systems.

“IT got pwned,” Kubecka said.

Despite all the time and resources devoted to the investigation and forensics, some things remain a mystery. The two-pronged attack began during the Islamic holy month of Ramadan, which is a “great time to attack,” because half of IT and security teams take time off for religious observances, Kubecka said. The attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email, but investigators still do not know when the email was sent, Kubecka said.

As part of the recovery effort, the company assembled the best team staffed with international—Kubecka was living in the Netherlands at the time—and domestic experts to set up a new and secure network, expand the cybersecurity team, and build a security operations center in Saudi Arabia. Continuous monitoring gave the security team the most up-to-date understanding of the environment, making it possible for IT to become more proactive.

The cybersecurity team complemented the IT team. IT professionals have a different set of skills than security professionals, and a successful security program needs both, Kubecka said. The security professionals “need a tinge of evil” because they are grey hackers, the good guys who know how to think like the bad guys do.

It was a tremendously expensive recovery, considering Aramco had to build a security operations center from scratch and recruit its team. The last place a company should be cutting costs is when assembling the security team.

A smaller corporation could easily have been bankrupted trying to recover from this kind of an attack, Kubecka said.

If Kubecka could do things over, she would have emphasized collaboration more and gone in with a better understanding of the company's culture. Corporate culuture can affect how decisions are made and how employees work together. Humans can change, but culture awareness help pave the way.

“I should have gone in knowing more,” Kubecka said.

Aramco's annual revenues rival the economies of whole nations, and its sheer size was a unique advantage in its recovery. For example, the malware destroyed hard drives, which meant Aramco needed new hard drives, right away. It utilized its private fleet of airplanes to fly employees directly to factory floors in Southeast Asia and bought up every computer hard drive available. Aramco paid higher prices to get those 50,000 drives, temporarily driving up prices and halting shipments to other buyers around the world. Between September 2012 to January 2013, everyone who bought a computer or hard drive had to pay a “slightly higher price” because of Aramco, Kubecka said.

While the IT team could have just reused and rebuilt the wiped drives instead of buying up the world's supply, Aramco decided trying to recover data or figuring out what was usable would be too time-consuming, Kubecka said. Time was of essence, and buying all the hard drives was the fastest method, she said.

It took five months, but Saudi Aramco came back online. The most valuable company in the world was knowcked down temporarily, but it showed it could reover, Kubecka said. “It was a challenge,” Kubecka said.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ichihi
50%
50%
ichihi,
User Rank: Apprentice
9/12/2015 | 10:42:27 AM
Re: Duh
Actually, Saudi Aramco run the largest SAP installation in the world.  Did you really think that exploring, extracting, processing and shipping 10% of oil supplies could be managed with toys like Excel?
DarwinC123
50%
50%
DarwinC123,
User Rank: Strategist
8/13/2015 | 2:09:37 PM
analysis
Is there a white paper / analysis of the attack?  I would like to read a lessons learned.  We had an attack a few years ago, that took advantage of the fact that IT Techs had computer/domain admin access.  Once it infected the admins, game over.  It used that access to spread to the rest of the network. We were off the internet for a few days.
TerryB
0%
100%
TerryB,
User Rank: Ninja
8/10/2015 | 1:03:41 PM
Duh
Two words: Backups. ERP

Worst case scenario should have been losing data since previous nights backup. Sounds like they were using MS Word and Quickbooks to run the business. What a joke.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Darn - typed UNICORN instead of UNICODE.  
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.