Attacks/Breaches

Inside The Aftermath Of The Saudi Aramco Breach

Former security advisor to the oil giant describes the days following the Armageddon-style cyberattack that wiped the hard drives of tens of thousands of computers.

BLACK HAT USA -- Las Vegas -- Three years ago, one of the largest companies in the world was rocked by a massive cyberattack. “Armageddon” was averted as the company swiftly mounted a recovery effort, the former security advisor told Black Hat USA attendees here Thursday.

“You can recover,” said Chris Kubecka, a consultant who was brought in to set up a security operation after the attack by Saudi Aramco, the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. Her job was to help secure all the satellite offices in Africa, Europe, and the Middle East.

Three years ago, malware partially wiped or totally destroyed the hard drives of 35,000 Aramco computers. Saudi Aramco employees first noticed something was wrong on Aug. 15, 2012, as files disappeared and computers started to fail. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, which lasted just a few hours, citing the company's support of Saudi Arabia's royal family.

The IT staff immediately disconnected all the systems and the data centers to stop the malware, which researchers since then have named Distrack -- aka Shamoon -- from travelling through the network. Every office was physically unplugged from the Internet, taking the company offline and isolating it from the rest of the world.

Imagine the modern office, and then turn everything off, Kubecka said. “No emails, no phones, nothing,” she said. While oil production—drilling and pumping—remained unaffected because those were automated, the rest of the business went old-school. Everything was on paper, whether it was managing supplies, tracking shipment, or handling contracts with partners and governments. Employees used typewriters and fax machines. The IT staff had to figure out where to go to buy the fax machines, she said.

The IT shutdown meant all the payment systems were affected. There were miles of gasoline tank trucks that needed refills, but could not get paid, Kubecka said. Most people may never have heard of Saudi Aramco, which supplies 9.4 million barrels of oil a day, but with this attack, 10 percent of the world's supply was at risk, she said.

The irony of it all was that Saudi Aramco had invested heavily in securing the industrial control systems from cyberattacks, but the attackers crippled the company by targeting desktops, mail servers, and other Windows systems.

“IT got pwned,” Kubecka said.

Despite all the time and resources devoted to the investigation and forensics, some things remain a mystery. The two-pronged attack began during the Islamic holy month of Ramadan, which is a “great time to attack,” because half of IT and security teams take time off for religious observances, Kubecka said. The attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email, but investigators still do not know when the email was sent, Kubecka said.

As part of the recovery effort, the company assembled the best team staffed with international—Kubecka was living in the Netherlands at the time—and domestic experts to set up a new and secure network, expand the cybersecurity team, and build a security operations center in Saudi Arabia. Continuous monitoring gave the security team the most up-to-date understanding of the environment, making it possible for IT to become more proactive.

The cybersecurity team complemented the IT team. IT professionals have a different set of skills than security professionals, and a successful security program needs both, Kubecka said. The security professionals “need a tinge of evil” because they are grey hackers, the good guys who know how to think like the bad guys do.

It was a tremendously expensive recovery, considering Aramco had to build a security operations center from scratch and recruit its team. The last place a company should be cutting costs is when assembling the security team.

A smaller corporation could easily have been bankrupted trying to recover from this kind of an attack, Kubecka said.

If Kubecka could do things over, she would have emphasized collaboration more and gone in with a better understanding of the company's culture. Corporate culuture can affect how decisions are made and how employees work together. Humans can change, but culture awareness help pave the way.

“I should have gone in knowing more,” Kubecka said.

Aramco's annual revenues rival the economies of whole nations, and its sheer size was a unique advantage in its recovery. For example, the malware destroyed hard drives, which meant Aramco needed new hard drives, right away. It utilized its private fleet of airplanes to fly employees directly to factory floors in Southeast Asia and bought up every computer hard drive available. Aramco paid higher prices to get those 50,000 drives, temporarily driving up prices and halting shipments to other buyers around the world. Between September 2012 to January 2013, everyone who bought a computer or hard drive had to pay a “slightly higher price” because of Aramco, Kubecka said.

While the IT team could have just reused and rebuilt the wiped drives instead of buying up the world's supply, Aramco decided trying to recover data or figuring out what was usable would be too time-consuming, Kubecka said. Time was of essence, and buying all the hard drives was the fastest method, she said.

It took five months, but Saudi Aramco came back online. The most valuable company in the world was knowcked down temporarily, but it showed it could reover, Kubecka said. “It was a challenge,” Kubecka said.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ichihi
50%
50%
ichihi,
User Rank: Apprentice
9/12/2015 | 10:42:27 AM
Re: Duh
Actually, Saudi Aramco run the largest SAP installation in the world.  Did you really think that exploring, extracting, processing and shipping 10% of oil supplies could be managed with toys like Excel?
DarwinC123
50%
50%
DarwinC123,
User Rank: Strategist
8/13/2015 | 2:09:37 PM
analysis
Is there a white paper / analysis of the attack?  I would like to read a lessons learned.  We had an attack a few years ago, that took advantage of the fact that IT Techs had computer/domain admin access.  Once it infected the admins, game over.  It used that access to spread to the rest of the network. We were off the internet for a few days.
TerryB
0%
100%
TerryB,
User Rank: Ninja
8/10/2015 | 1:03:41 PM
Duh
Two words: Backups. ERP

Worst case scenario should have been losing data since previous nights backup. Sounds like they were using MS Word and Quickbooks to run the business. What a joke.
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
Cybercriminals Think Small to Earn Big
Dark Reading Staff 3/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.