Former NSA boss Gen. Keith Alexander has claimed that the Shamoon malware attacks on Middle East energy company Saudi Aramco in 2012 were a “wake-up call for everybody” that could have severe repercussions for the safety of critical infrastructure networks.
The longest serving director of the much-maligned US security agency made the remarks in a marathon two-hour interview with Australian Financial Review, which has published the 17,500-word transcript.
In response to a question asking whether Stuxnet is a “harbinger of a new age of cyber warfare”, he argued that, in fact, the Aramco attack was perhaps more noteworthy.
“The new age was not necessarily Stuxnet. It was what happened to Saudi Aramco in August 2012. That’s the wakeup call, I think, for everybody,” he told AFR.
“DDOS attackers employed a virus that infected the hard drives of over 30,000 computers at Aramco, overwriting and effectively destroying data. A similar attack on our critical infrastructure networks could have grave effects on financial markets, communication networks, and health and safety services to name a few.”
However, security experts Infosecurity magazine spoke to have questioned Alexander’s interpretation of events.
They said that although the attack is thought to have used the Shamoon “wiper” virus that infected and destroyed victim PCs, it was not a “DDOS” as such.
This renders even more baffling Alexander’s other comments, that the attack “ran through the private networks in the United States and, as an unintended consequence, nearly disabled a major US telecommunications company”.
At the time, a hacktivist group called the Cutting Sword of Justice claimed responsibility for the attack, citing Saudi ‘crimes and atrocities’ as its motivation, although others have speculated that it could actually have been sponsored by an Iranian regime that was itself the victim of a Wiper attack a few months previously.
In the end, although 30,000 Saudi Aramco’s workstations were wiped, the firm managed to get its network back online after 10 days and said its core oil and gas production systems were not affected.
As a result, it’s difficult to view the attack quite with the same level of forboding as Alexander, according to Trend Micro VP of security research, Rik Ferguson.
“These things do act as a wake-up call, however, if you look at the net effect on Aramco it wasn’t massively disruptive,” he told Infosecurity.
“Probably the two biggest wake-up calls from a nation state and commercial point of view were the ‘agent.btz’ attack on the US military in 2008, which led to the creation of US Cyber Command … and the Aurora attacks in 2009 when Google came forward and said it and 20 others had been breached.”
Jason Steer, director of technology strategy at FireEye, told Infosecurity that Alexander’s comments would make him “question how close the individual was” to the attacks.
He added that what they did possibly foretell, however, was a growing trend among attackers of destroying targeted systems as the last step of a campaign.
“Rather than leave potentially incriminating evidence behind, it’s less risky to ‘burn the house down’,” he explained. “This goes against the ethos of most sophisticated targeted attacks which want to remain invisible.”