Security Experts:

Insiders Suspected in Aramco Attack

Reuters is reporting that sources close to the investigation efforts in the Aramco attack are reporting that insiders are partly responsible. In August, Aramco, Saudi Arabia’s national oil company – and the world’s largest oil producer – had to contend with a malware outbreak that hit 30,000 systems in a single go.

According to Reuters’ Jim Finkle, insiders with high-level access to Aramco’s network helped attackers target the organization. The story cites sources familiar with the company’s ongoing investigation, who said the attack was made possible by, “someone who had inside knowledge and inside privileges within the company.”

Detecting Employee Data Theft

The early August attack gained traction because the malware itself appeared to be created solely for this campaign. It’s been said that the Aramco incident represents the largest malware-based attack on a single organization in history. The malware used in the attack, Shamoon, is highly destructive and hard to get rid of. It took Aramco two weeks to recover. 

In a statement shortly after the cleanup, the company said, “...oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected...,” by the attack, but that they were forced to take down their network to prevent the malware from spreading further.

Reuters’ exclusive is here. Additional information on Shamoon is available from Kaspersky and Symantec

Todd Lewellen, an information systems security analyst for the CERT Insider Threat Center wrote an interesting post today on the subject of insider threats.

“No industry sector is exempt from experiencing damage at the hands of malicious insiders,” Lewellen wrote. “Regardless of the sector your organization operates within, it is important that you protect it from damaging attacks that may come from your own employees.”

 CERT also recently released its CERT Guide to Insider Threats, a book that includes several examples of insider threat cases and analyses from over 10 years of insider threat research. That can be found here.

Symantec also published an interesting report on the psychology of the insider threat back in December 2011. The report, “Behavioral Risk Indicators of Malicious Insider Theft of Intellectual Property: Misreading the Writing on the Wall,” examined insider breaches to get a sense of not only how insiders steal data, but who does it and why. More on that can be found here.  

Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.