Attack Against Saudi Oil Company: Government Or Hacktivists?


An especially insidious cyberattack against a Saudi oil company reinforces the vulnerability of corporate assets to those seeking to communicate their political objections. And, some speculation points to Iran as the source of the attack.

The attack actually occurred on Aug. 15 by a group that calls itself the "Cutting Sword of Justice," which issued a Pastebin post last week that reads, in part, as follows:

"We, behalf of an anti-oppression hacker group that have been fed up of crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt and ..., and also of dual approach of the world community to these nations, want to hit the main supporters of these disasters by this action."

[Related: Anonymous Targets British Websites in Support of Assange]

It went on to say that "In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime. In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company. The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM [Arabia Standard Time] and will be completed within a few hours."

The group further explained that the attack was intended to be a warning to countries that support injustice and oppression, and it invited other groups to join its cause.

It's now reported that a similar attack is scheduled to take place on Saturday at 9 p.m. GMT.

Although the extent of the damage of the Aramco attack is unclear, CRN notes that the company's website was unresponsive as of Thursday afternoon PST, and Kaspersky's ThreatPost blog claims the site has been offline for more than a week.

Aramco has been reporting to say that the site has been taken offline as a precautionary measure.

The Kaspersky blog asserts that the attack "included a malware infection as well as a subsequent DDoS attack on the Web sites, destroyed data on 30,000 machines" and may also have destroyed the machines, themselves.

Meanwhile, there is widespread speculation that the Shamoon malware was the primary weapon. Discussion on Shamoon began last Thursday when Kasperksy Lab said that they were analyzing samples with "odd and puzzling characteristics," including one module that had the name, "wiper" embedded in it. This led to speculation that the module could be related to "Skywiper," a piece of malware that is known for erasing files. But, Kaspersky also reports characteristics that pointed in other directions, including the discovery of a time stamp hard-coded into Shamoon that matched the time of the Aramco attack.

While the precise source of the attack remains a mystery, cybersecurity analyst Jeffrey Carr reports speculation that the attack may be coming from Iran in retaliation against Saudi Arabia for increasing its oil production at a time when Iran is reducing its production in response to economic sanctions imposed against Iran by the U.S. and European Union.

PUBLISHED AUG. 23, 2012