Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Inside The Aftermath Of The Saudi Aramco Breach

Former security advisor to the oil giant describes the days following the Armageddon-style cyberattack that wiped the hard drives of tens of thousands of computers.

BLACK HAT USA -- Las Vegas -- Three years ago, one of the largest companies in the world was rocked by a massive cyberattack. “Armageddon” was averted as the company swiftly mounted a recovery effort, the former security advisor told Black Hat USA attendees here Thursday.

“You can recover,” said Chris Kubecka, a consultant who was brought in to set up a security operation after the attack by Saudi Aramco, the state-owned national oil company of Saudi Arabia and the world's largest exporter of crude oil. Her job was to help secure all the satellite offices in Africa, Europe, and the Middle East.

Three years ago, malware partially wiped or totally destroyed the hard drives of 35,000 Aramco computers. Saudi Aramco employees first noticed something was wrong on Aug. 15, 2012, as files disappeared and computers started to fail. A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, which lasted just a few hours, citing the company's support of Saudi Arabia's royal family.

The IT staff immediately disconnected all the systems and the data centers to stop the malware, which researchers since then have named Distrack -- aka Shamoon -- from travelling through the network. Every office was physically unplugged from the Internet, taking the company offline and isolating it from the rest of the world.

Imagine the modern office, and then turn everything off, Kubecka said. “No emails, no phones, nothing,” she said. While oil production—drilling and pumping—remained unaffected because those were automated, the rest of the business went old-school. Everything was on paper, whether it was managing supplies, tracking shipment, or handling contracts with partners and governments. Employees used typewriters and fax machines. The IT staff had to figure out where to go to buy the fax machines, she said.

The IT shutdown meant all the payment systems were affected. There were miles of gasoline tank trucks that needed refills, but could not get paid, Kubecka said. Most people may never have heard of Saudi Aramco, which supplies 9.4 million barrels of oil a day, but with this attack, 10 percent of the world's supply was at risk, she said.

The irony of it all was that Saudi Aramco had invested heavily in securing the industrial control systems from cyberattacks, but the attackers crippled the company by targeting desktops, mail servers, and other Windows systems.

“IT got pwned,” Kubecka said.

Despite all the time and resources devoted to the investigation and forensics, some things remain a mystery. The two-pronged attack began during the Islamic holy month of Ramadan, which is a “great time to attack,” because half of IT and security teams take time off for religious observances, Kubecka said. The attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email, but investigators still do not know when the email was sent, Kubecka said.

As part of the recovery effort, the company assembled the best team staffed with international—Kubecka was living in the Netherlands at the time—and domestic experts to set up a new and secure network, expand the cybersecurity team, and build a security operations center in Saudi Arabia. Continuous monitoring gave the security team the most up-to-date understanding of the environment, making it possible for IT to become more proactive.

The cybersecurity team complemented the IT team. IT professionals have a different set of skills than security professionals, and a successful security program needs both, Kubecka said. The security professionals “need a tinge of evil” because they are grey hackers, the good guys who know how to think like the bad guys do.

It was a tremendously expensive recovery, considering Aramco had to build a security operations center from scratch and recruit its team. The last place a company should be cutting costs is when assembling the security team.

A smaller corporation could easily have been bankrupted trying to recover from this kind of an attack, Kubecka said.

If Kubecka could do things over, she would have emphasized collaboration more and gone in with a better understanding of the company's culture. Corporate culuture can affect how decisions are made and how employees work together. Humans can change, but culture awareness help pave the way.

“I should have gone in knowing more,” Kubecka said.

Aramco's annual revenues rival the economies of whole nations, and its sheer size was a unique advantage in its recovery. For example, the malware destroyed hard drives, which meant Aramco needed new hard drives, right away. It utilized its private fleet of airplanes to fly employees directly to factory floors in Southeast Asia and bought up every computer hard drive available. Aramco paid higher prices to get those 50,000 drives, temporarily driving up prices and halting shipments to other buyers around the world. Between September 2012 to January 2013, everyone who bought a computer or hard drive had to pay a “slightly higher price” because of Aramco, Kubecka said.

While the IT team could have just reused and rebuilt the wiped drives instead of buying up the world's supply, Aramco decided trying to recover data or figuring out what was usable would be too time-consuming, Kubecka said. Time was of essence, and buying all the hard drives was the fastest method, she said.

It took five months, but Saudi Aramco came back online. The most valuable company in the world was knowcked down temporarily, but it showed it could reover, Kubecka said. “It was a challenge,” Kubecka said.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
TerryB
0%
100%
TerryB,
User Rank: Ninja
8/10/2015 | 1:03:41 PM
Duh
Two words: Backups. ERP

Worst case scenario should have been losing data since previous nights backup. Sounds like they were using MS Word and Quickbooks to run the business. What a joke.
ichihi
50%
50%
ichihi,
User Rank: Apprentice
9/12/2015 | 10:42:27 AM
Re: Duh
Actually, Saudi Aramco run the largest SAP installation in the world.  Did you really think that exploring, extracting, processing and shipping 10% of oil supplies could be managed with toys like Excel?
DarwinC123
50%
50%
DarwinC123,
User Rank: Strategist
8/13/2015 | 2:09:37 PM
analysis
Is there a white paper / analysis of the attack?  I would like to read a lessons learned.  We had an attack a few years ago, that took advantage of the fact that IT Techs had computer/domain admin access.  Once it infected the admins, game over.  It used that access to spread to the rest of the network. We were off the internet for a few days.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14174
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
CVE-2019-20901
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.
CVE-2019-20900
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to inject arbitrary HTML or JavaScript via a cross site scripting (XSS) vulnerability in the Add Field module. The affected versions are before version 8.7.0.