Attacks/Breaches

8/8/2015
03:30 PM
50%
50%

Inside The Aftermath Of The Saudi Aramco Breach

Former security advisor to the oil giant describes the days following the Armageddon-style cyberattack that wiped the hard drives of tens of thousands of computers.

BLACK HAT USA -- Las Vegas -- Three years ago, one of the largest companies in the world was rocked by a massive cyberattack. “Armageddon” was averted as the company swiftly mounted a recovery effort, the former security advisor told Black Hat USA attendees here Thursday.

“You can recover,” said Chris Kubecka, a consultant who was brought in to set up a security operation after the attack by Saudi Aramco, the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. Her job was to help secure all the satellite offices in Africa, Europe, and the Middle East.

Three years ago, malware partially wiped or totally destroyed the hard drives of 35,000 Aramco computers. Saudi Aramco employees first noticed something was wrong on Aug. 15, 2012, as files disappeared and computers started to fail. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, which lasted just a few hours, citing the company's support of Saudi Arabia's royal family.

The IT staff immediately disconnected all the systems and the data centers to stop the malware, which researchers since then have named Distrack -- aka Shamoon -- from travelling through the network. Every office was physically unplugged from the Internet, taking the company offline and isolating it from the rest of the world.

Imagine the modern office, and then turn everything off, Kubecka said. “No emails, no phones, nothing,” she said. While oil production—drilling and pumping—remained unaffected because those were automated, the rest of the business went old-school. Everything was on paper, whether it was managing supplies, tracking shipment, or handling contracts with partners and governments. Employees used typewriters and fax machines. The IT staff had to figure out where to go to buy the fax machines, she said.

The IT shutdown meant all the payment systems were affected. There were miles of gasoline tank trucks that needed refills, but could not get paid, Kubecka said. Most people may never have heard of Saudi Aramco, which supplies 9.4 million barrels of oil a day, but with this attack, 10 percent of the world's supply was at risk, she said.

The irony of it all was that Saudi Aramco had invested heavily in securing the industrial control systems from cyberattacks, but the attackers crippled the company by targeting desktops, mail servers, and other Windows systems.

“IT got pwned,” Kubecka said.

Despite all the time and resources devoted to the investigation and forensics, some things remain a mystery. The two-pronged attack began during the Islamic holy month of Ramadan, which is a “great time to attack,” because half of IT and security teams take time off for religious observances, Kubecka said. The attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email, but investigators still do not know when the email was sent, Kubecka said.

As part of the recovery effort, the company assembled the best team staffed with international—Kubecka was living in the Netherlands at the time—and domestic experts to set up a new and secure network, expand the cybersecurity team, and build a security operations center in Saudi Arabia. Continuous monitoring gave the security team the most up-to-date understanding of the environment, making it possible for IT to become more proactive.

The cybersecurity team complemented the IT team. IT professionals have a different set of skills than security professionals, and a successful security program needs both, Kubecka said. The security professionals “need a tinge of evil” because they are grey hackers, the good guys who know how to think like the bad guys do.

It was a tremendously expensive recovery, considering Aramco had to build a security operations center from scratch and recruit its team. The last place a company should be cutting costs is when assembling the security team.

A smaller corporation could easily have been bankrupted trying to recover from this kind of an attack, Kubecka said.

If Kubecka could do things over, she would have emphasized collaboration more and gone in with a better understanding of the company's culture. Corporate culuture can affect how decisions are made and how employees work together. Humans can change, but culture awareness help pave the way.

“I should have gone in knowing more,” Kubecka said.

Aramco's annual revenues rival the economies of whole nations, and its sheer size was a unique advantage in its recovery. For example, the malware destroyed hard drives, which meant Aramco needed new hard drives, right away. It utilized its private fleet of airplanes to fly employees directly to factory floors in Southeast Asia and bought up every computer hard drive available. Aramco paid higher prices to get those 50,000 drives, temporarily driving up prices and halting shipments to other buyers around the world. Between September 2012 to January 2013, everyone who bought a computer or hard drive had to pay a “slightly higher price” because of Aramco, Kubecka said.

While the IT team could have just reused and rebuilt the wiped drives instead of buying up the world's supply, Aramco decided trying to recover data or figuring out what was usable would be too time-consuming, Kubecka said. Time was of essence, and buying all the hard drives was the fastest method, she said.

It took five months, but Saudi Aramco came back online. The most valuable company in the world was knowcked down temporarily, but it showed it could reover, Kubecka said. “It was a challenge,” Kubecka said.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ichihi
50%
50%
ichihi,
User Rank: Apprentice
9/12/2015 | 10:42:27 AM
Re: Duh
Actually, Saudi Aramco run the largest SAP installation in the world.  Did you really think that exploring, extracting, processing and shipping 10% of oil supplies could be managed with toys like Excel?
DarwinC123
50%
50%
DarwinC123,
User Rank: Strategist
8/13/2015 | 2:09:37 PM
analysis
Is there a white paper / analysis of the attack?  I would like to read a lessons learned.  We had an attack a few years ago, that took advantage of the fact that IT Techs had computer/domain admin access.  Once it infected the admins, game over.  It used that access to spread to the rest of the network. We were off the internet for a few days.
TerryB
0%
100%
TerryB,
User Rank: Ninja
8/10/2015 | 1:03:41 PM
Duh
Two words: Backups. ERP

Worst case scenario should have been losing data since previous nights backup. Sounds like they were using MS Word and Quickbooks to run the business. What a joke.
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Risk, Privacy, and Information Security Officer, AvePoint, Inc.,  8/20/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15660
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions, then the attacker can read certain Ola Money data such as a credit card number, expiration date, bank account numbe...
CVE-2018-15661
PUBLISHED: 2018-08-21
** DISPUTED ** An issue was discovered in the Ola Money (aka com.olacabs.olamoney) application 1.9.0 for Android. If an attacker controls an application with accessibility permissions and the ability to read SMS messages, then the Forgot Password screen can be used to bypass authentication. NOTE: th...
CVE-2018-15481
PUBLISHED: 2018-08-21
Improper input sanitization within the restricted administration shell on UCOPIA Wireless Appliance devices using firmware version 5.1.x before 5.1.13 allows authenticated remote attackers to escape the shell and escalate their privileges by adding a LocalCommand to the SSH configuration file in the...
CVE-2018-15528
PUBLISHED: 2018-08-21
Reflected Cross-Site Scripting exists in the Java System Solutions SSO plugin 4.0.13.1 for BMC MyIT. A remote attacker can abuse this issue to inject client-side scripts into the "select_sso()" function. The payload is triggered when the victim opens a prepared /ux/jss-sso/arslogin?[XSS] l...
CVE-2018-15533
PUBLISHED: 2018-08-21
A reflected cross-site scripting vulnerability exists in Geutebrueck re_porter 16 before 7.8.974.20 by appending a query string to /modifychannel/exec or /images/*.png on TCP port 12005.