Saudi Arabia-based Aramco was attacked earlier this month by malware that targeted some 30,000 workstations. According to the state-owned group which controls all of Saudi Arabia's oil production, things have been cleaned up in short time, and oil production itself was not impacted.
The early August attack gained traction because the malware itself appeared to be created solely for this campaign. It has a Hollywood quality as well, given that 30,000 systems at the world’s largest oil production company were hit in a single sweep. Adding to that were the threats made by a group calling themselves the Cutting Sword of Justice warned that they would attack again on Saturday.
If they did launch a second attack, it failed. Most security pundits however are leaning towards the fact that the warning was an empty threat, and subsequent messages (each one unsigned) discussing the attack were simply glory hounds seeking their time in the spotlight. Despite the FUD associated with the story however, Aramco was attacked, and it took them two weeks to clean their network. The initial message on their Web site remains, despite a statement given to the media over the weekend.
“We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever,” Aramco’s CEO, Khalid al-Falih, said in a prepared statement.
Online, the company’s website simply tells visitors that everything is under control and that they are working to restore services to normal as soon as possible.
“We have isolated all our electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption which affected some sectors of our network,” the website’s greeting explains.
“The disruption was suspected to be the result of a virus that had infected personnel workstations without affecting the primary components of the network. The interruption is under control, we are working diligently to restore services to normal as soon as possible in a methodical approach.”
“This was not the first nor will it be the last illegal attempt to intrude into our systems,” al-Falih said.
Some reports have speculated that malware used in the attack was Shamoon, a highly destructive cyber weapon that also contains the ability to siphon data from an infected host. Given the malware’s abilities and the fact that it could have been developed for this particular attack, it may be entirely too early to call the coast clear. Additional research on Shamoon is here and here.