Saudi Aramco recovers from cyber attack
Attack attributed to Shamoon malware took down 30,000 workstations
Saudi Aramco says it has largely recovered from a computer malware attack that shut down around three in four of the company’s computers and disrupted the company’s non-core activities since 15 August.
“Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations,” the world’s largest oil producer confirmed in an online statement. “The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted.”
Reuters reports that emails to Aramco addressed have been returned unsent.
Aramco said employees returned to work on Saturday 25 August, following the Eid holidays, resuming normal business.
The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated.
“We addressed the threat immediately, and our precautionary procedures, which have been in place to counter such threats, and our multiple protective systems, have helped to mitigate these deplorable cyber threats from spiraling,” said Khalid Al-Falih, president and CEO, Saudi Aramco.
“Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack,” Al-Falih added.
Aramco saw thousands of computers disabled after a timer within a piece of malware – widely reckoned by cyber security analysts to be a new threat called Shamoon – that had spread across Aramco’s systems triggered a command to delete certain parts from infected computer drives simultaneously at 08:08 UTC.
Aramco employees took to social networking sites shortly afterward to complain that to complain that they had lost work and their workstations were inoperable.
A group called "Cutting Sword of Justice" has claimed responsibility for the attack. In a separate internet posting, another group said it would attack Aramco again on 25 August at 21:00 UTC. No separate attack was reported by Aramco.
Internet security firm Kaspersky has dubbed the Shamoon "a copycat, the work of a script kiddies."
Security analyst Jeffrey Carr, the author of Inside Cyber Warfare, has reported that a USB stick inserted into a workstation at one of Aramco's global offices outside Saudi Arabia was the source of the attack, which would have circumvented Aramco’s antivirus and firewall protections.
Carr, citing unnamed Aramco insiders, has posted details of alleged security shortcomings at Aramco.
"We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever," said Al Falih. “We will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack."