Last week it was announced by Saudi Arabia’s oil company, Saudi Aramco that its systems and its internal network were victims of a cyber attack. Recently the company has given more info on the incident declaring that the systems are back up after the attack made by a virus that infected 30,000 work stations.
All the servers have been cleaned and restored and all the activities are back to normal on Saturday, the good news is that the production environment hasn’t been affected by the attack because they work with a totally isolated network, this information provided by the company indicates that the attack came through the Internet and not internal channels.
The company claims responsibility is of “malicious virus that originated from external sources”, but the origin and the motivations behind the attack remain a mystery, due to these reasons all the internet access to internal resources has been re designed and restricted.
What is interesting is that the company hasn’t referred the group of hackers who claimed responsibility for the hack, Kalid A. Al-Falih, president and CEO of Saudi Aramco, said:
“Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack,”
Several groups have claimed to have attacked the company such as the “Cutting Sword of Justice” and the “Arab Youth Group”. The group named Cutting Sword of Justice claimed the attack on Pastebin site announcing to have sent the virus to destroy 30,000 computers of the company responsible for support for “crimes and atrocities” against citizens in Syria, Egypt, Lebanon and other countries in the area.
According an article published by the Jeffrey Carr, CEO of Taia Global, the Arab Youth Group, uses terms like “evil Al-Saud” and “Al-Saud traitors” and specifically refers to Lebanon and the Forqan War (aka Operation Cast Lead 12/2008-1/2009) which at least one Iranian hacker crew – the Ashiyane Security Group – participated in.
The second group, the Cutting Sword of Justice, posted several messages containing proof of the attack such as the list of compromised IP addresses of servers. analyzing the way they wrote the posts it is possible to note that they haven’t made religious proclamations and have focused the statements on a political concept like “tyranny”.
What is singular is that they also posted the start date and time which corresponds to the code string found in Shamoon malware, a virus used not only with the intent to spy on victims but to destroy them making the machine unusable. According to the expert the two group appear separated and are the mainly responsible for the attack.
According Carr, the Hezbollah, a Shi’a militant group based in Lebanon, is really close to Iran receiving financial and political support from the government of Teheran. Hezbollah includes in its ranks hackers maybe recruited to be involved in cyber operations like this.
According to this Arabic website, up to 70 Aramco employees, including Lebanese Shi’a, are being investigated for involvement in the attack.
The real reason behind the attack appears to be the dispute between Iran and Saudi Aramco Over Oil Embargo placed upon Iran by the U.S. and the European Union on July 1st, 2012.
The response of Teheran is the menace to close the Strait of Hormuz to respond to the embargo but many experts are sure that Iran is also financing cyber attacks to destroy companies such as Saudi Aramco that is sustaining the penalties against the country.
Due the reasons exposed it is reasonable to assume that Iran is one of the main suspects for the attack on the oil company.
We must get used to this kind of events that hardly show the real responsible but which are capable of causing considerable damage.
(Security Affairs – Saudi Aramco, Shamoon)