After nearly a month, the Cyber Attack to Saudi Aramco continues to attract the attentions of Infosec Professionals. If you still have doubts about the fact the human beings are the most dangerous forms of targeted attacks, you should read this article by Reuters: according to internal anonymous sources familiar with the company’s investigation (six firms with expertise in hacking attacks have been hired, bringing in dozens of outside experts to investigate the attack and repair computers), one or more insiders with high-level access are suspected of having assisted the hackers who damaged 30,000 computers at Saudi Arabia’s national oil company last month.
So, apparently, it looks like that Shamoon, in order to unleash its destructive rage, was assisted by an internal mole, “someone who had inside knowledge and inside privileges within the company” according to sources familiar with the company. An event which sounds a little strange, and apparently in contrast with the fact that some coding errors inside the malware seemed a priori to exclude a “state-sponsored” origin for the attack: it is really hard to think about an amateurish operation involving an internal saboteur.
So far, two different groups claimed the responsibility of the cyber attack: The Cutting Sword of Justice and Arab Youth Group, motivating the action with political reasons against what they call Al-Saud corrupt regime (sic). In any case, none of them mentioned an internal assistance for successfully carrying on the attack.
Meanwhile the saga continues, other Oil companies have been hit (Quatari RasGas) by the same malware, and Symantec, few days ago, has reported news of further attacks of W32.Disstrack (Symantec’s Name for the threat vector inside the Shamoon). I wonder if internal moles were involved also in those cases.
Yesterday Saudi Aramco issued a public statement declaring to have fixed most damage and restored all its main internal network services affected by the Cyber Attack occurred on August 15, 2012 (or a “malicious virus” to quote the same term used by the company).
In the same statement, the company has unveiled the real entity of the attack, confirming what was reported in my original blog post: the malicious virus originated from external sources and affected about 30,000 workstations (on a total of 40,000).
The light at the end of the Cyber Tunnel seems quite close, since the company has stated that the workstations have been cleaned and restored to service. There are however some restrictions still in place: as a precaution, remote Internet access to online resources is still restricted and the website aramco.com is offline showing a courtesy page in which the company confirms that all the electronic systems are isolated from outside access.
You will probably remember that the attack occurred nearly in contemporary with the discovery of the latest malware in Middle East, Shamoon, tailored for targeting companies belonging to the Energy Sector, which had consequently put in close relationship with the cyber attack to Saudi Aramco. At the beginning, security researchers believed to have found a brand new cyber weapon in Middle East, but some coding errors found inside the malicious program have convinced the community that Shamoon is not the work of experienced cyber weapons programmers (anyway I believe that if Shamoon is really the source of the troubles for Saudi Aramco, 30,000 erased computers are a respectable results for a team of amateur programmers).
But if the situation is close to normal, hackers all over the world continue to threaten the company: a couple of days ago, an isolated group posted a new menace to Aramco, announcing a new attack for the 25th of August, at 21:00 GMT.Even if the website of aramco.com is still offline, this does not seem the effect of the latest alleged cyber attack: the hackers have posted today, Monday 29 August (sic), a new statement containing the result of their action (several password of internal router and a couple of accounts) but it appears lame and does not seem too much convincing.
Update August 17: More details about Shamoon, the malware targeting Saudi Aramco and other Middle East companies belonging to Energy Sector. Apparently the destructive details unveiled yesterday are confirmed.
Upate August 27: Saudi Aramco Admits 30K workstations affected.
I have just received a couple of tweets from an unknown user @cyberstrikenews providing more details about the latest Cyber Attack in Middle East targeting Saudi Arabian Oil Company (Saudi Aramco).
(@cyberstrikenews) August 16, 2012
The Oil Company declared that “production had not been affected” and even if the virus affected some computers, it did not penetrate key components of the network. The company also said it would return to normal operating mode soon.
From the information I have received (I cannot verify the integrity of the source, so I report the data integrally), the situation appears quite different:
- The company has about 40000 computer clients and about 2000 servers, the destructive virus was known to wipe all information and operation system related files in at least 30000 (75%) of them all data lost permanently.
- Among the servers which (were) destroyed are the company main web server, mail server (smtp and exchange), and the domain controller which as the central part of their network.
- All clients are permanently shut down and they will not be able to recover them in a short period.
- The main company web site ( http://www.aramco.com ) was down during 24 hours and at last they redirected it to an outside country web site called “www.saudiaramco.com”.
Apparently the web site has just been restored to normal operation redirecting the user to Saudi Aramco.
After Stuxnet, Duqu, Flame and Gauss, yet another confirm that there is no cyber peace in middle East!