After nearly a month, the Cyber Attack to Saudi Aramco continues to attract the attentions of Infosec Professionals. If you still have doubts about the fact the human beings are the most dangerous forms of targeted attacks, you should read this article by Reuters: according to internal anonymous sources familiar with the company’s investigation (six firms with expertise in hacking attacks have been hired, bringing in dozens of outside experts to investigate the attack and repair computers), one or more insiders with high-level access are suspected of having assisted the hackers who damaged 30,000 computers at Saudi Arabia’s national oil company last month.
So, apparently, it looks like that Shamoon, in order to unleash its destructive rage, was assisted by an internal mole, “someone who had inside knowledge and inside privileges within the company” according to sources familiar with the company. An event which sounds a little strange, and apparently in contrast with the fact that some coding errors inside the malware seemed a priori to exclude a “state-sponsored” origin for the attack: it is really hard to think about an amateurish operation involving an internal saboteur.
So far, two different groups claimed the responsibility of the cyber attack: The Cutting Sword of Justice and Arab Youth Group, motivating the action with political reasons against what they call Al-Saud corrupt regime (sic). In any case, none of them mentioned an internal assistance for successfully carrying on the attack.
Meanwhile the saga continues, other Oil companies have been hit (Quatari RasGas) by the same malware, and Symantec, few days ago, has reported news of further attacks of W32.Disstrack (Symantec’s Name for the threat vector inside the Shamoon). I wonder if internal moles were involved also in those cases.
Yesterday Bloomberg reported the news of a new cyber attack in Middle East targeting an Oil Company. The latest victim is Ras Laffan Liquefied Natural Gas Co., a Qatari LNG producer that has shut down part of its computer systems targeted by an unidentified malware since Aug. 27.
According to the scant official information available, desktop computers in company offices were the only affected, while operational systems at onshore and offshore installations were immune, with no impact on production or cargoes.
Of course it is impossible to avoid a parallelism with the cyber attack targeting Saudi Aramco a couple of weeks ago, and the 30,000 workstations that the company admitted to have been targeted (and restored only few days ago) by this malware outbreak. It is also impossible not to mention the infamous Shamoon, the brand new malware discovered in Middle East that information security community immediately connected to the Saudi Aramco cyber incident, furthermore stating (by literally quoting Symantec’s blog):
W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector.
The Ras Raffan cyber attack maybe provides a partial answer to the question regarding who else might have been affected by Shamoon (I wonder if we will soon learn of other companies targeted) and even if security researchers have not confirmed, so far, the connection between Shamoon and this latest attack, the first speculations on regard have already appeared. According to the WSJ, the RasGas information technology department identified the virus as Shamoon, stating that:
Following the virus attack, some “computers are completely dead”.
The Middle East is considered the Cradle of Civilization, but I am afraid that, in this 21st century, it is becoming the “Cradle of Cyber War”. And even if you consider Shamoon just an amateurish copycat (with no cyberwar intentions), you cannot ignore that the latest research according to which even Wiper is a son of the so-called Tilded Platform (the same malware platform that originated Stuxnet, Duqu and Flame).
This cannot be considered a mere coincidence.