Insiders exploiting privileged accounts likely behind Saudi Aramco attack

The New York Times noted that after analyzing the software code from the attack, security experts see a company insider with privileged access to Aramco’s network as the likely culprit. “The virus could have been carried on a USB memory stick that was inserted into a PC,” the paper noted.

“The attack pathway of the Saudi Aramco cyber-attack clearly points to administrative and privileged accounts as the priority target for attackers looking to infiltrate and damage critical infrastructure,” said Adam Bosnian, executive vice president at Cyber-Ark, in an email. He added, “an insider at the oil company used privileged access to unleash a computer virus to ‘initiate what is regarded as among the most destructive acts of computer sabotage on a company to date.’”

The Shamoon virus was deployed in August, erasing hard drive data on three-quarters of corporate PCs at Aramco, the world’s largest oil and gas company. Users looking for a document or spreadsheet instead found an image of a burning American flag. Fortunately, the attack affected only the company’s internal network – albeit 30,000 PCs – and not the systems that govern oil production. Still, the network was shut down for days, and employees are still prohibited from accessing the systems remotely.

Hackers calling themselves the “Cutting Sword of Justice” took responsibility for the action, saying that they were protesting Saudia Arabia’s coziness with the United States. But US intelligence officials have pinned the attack on Iran, with Secretary of Defense Leon E. Panetta going so far as to raise a specter of a dangerous, cyberware-engendered, infrastructure shut-down in a “cyber Pearl Harbor” if the world did not take the warning shot seriously.

The New York Times reported that other clues suggest that insiders were to blame. For instance, the attack came as 55,000 Aramco employees stayed home to prepare for Lailat al Qadr, or the Night of Power, which celebrates the revelation of the Koran to Muhammad. That would give an insider ample opportunity to take advantage of that fact to physically load in the virus when no one was around.

And was that insider working with Iran? A clue in the code could either be evidence that Iran was not involved, or could be a red herring meant to throw investigators off the trail. “Shamoon’s programmers inserted the word ‘Arabian Gulf’ into its code,” the paper noted. “But Iranians refer to that body of water as the Persian Gulf and are very protective of the name. (This year, Iran threatened to sue Google for removing the name Persian Gulf from its online maps.)”

Regardless, the forensics on the attack highlight a big security hole in enterprises worldwide. “Privileged and administrative accounts act as a gateway to any organization’s most sensitive information, which is why they’ve emerged as the primary target for attackers, both internally and externally,” Bosnian said. “The management of these privileged accounts tend to be neglected and in many cases these accounts are shared between multiple users (so there is no accountability), with weak passwords that seldom change. Securing the usage and access to these privileged accounts is critical to the security of critical infrastructures.”

Cyber-Ark’s recently conducted annual global IT security survey found that businesses recognized the exploitation of privileged account access played a prominent role in most of the world’s most notorious data breaches, Bosnian said. Yet, “despite this growing awareness of the privileged connection in cyber-attacks and the growing insider threat, 43% of respondents stated that their organizations do not monitor the use of privileged accounts or were unsure of whether they did," he noted, adding that this should be a priority for organizations going forward.

What’s hot on Infosecurity Magazine?