Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

Shamoon likely the malware used against Saudi oil giant Aramco

Indications suggest that the attack was much more destructive and widespread within Aramco than has been officially admitted
Indications suggest that the attack was much more destructive and widespread within Aramco than has been officially admitted

Much of this is conjecture. The victim, Aramco (the website is still unavailable at the time of writing this report), is understandably not giving away much information while ‘Cutting Sword of Justice’ is not the only group to have claimed responsibility. Nevertheless, the circumstantial evidence is compelling. Cutting Sword of Justice claimed responsibility on August 15, noting it is “an anti-oppression hacker group” acting against the “Al-Saud regime.”

What is known about Shamoon is also compatible with what is known about the Aramco attack. Indications suggest that the attack was much more destructive and widespread within the company than has been officially admitted. This is compatible with the wiper element of Shamoon. An Aramco/Shamoon connection also explains other conjecture from security researchers: that Shamoon is targeted malware (it was targeted at Aramco), and that it bears resemblance to state-sponsored cyber-weapons (it is certainly a destructive weapon).

Sifting through unattributed and therefore unconfirmed reports on Pastebin suggests that some 30,000 of Aramco’s computers were destroyed. If this is true, and the perpetrators are as claimed “an anti-oppression hacker group”, then it takes hacktivism to a new level. “Does this mean that the power of the hacktivism has become so strong that it can compete with government cyber warfare organizations?” asks Imperva’s Rob Rachwald in a company blog yesterday.

Or is this, as suggested by Jeffrey Carr in his Digital Dao blog, “an Iranian operation to discourage Saudi Armaco [sic] from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union.” That is, is Shamoon/Aramco government cyber warfare disguised as hacktivism? “It makes sense to me,” adds Carr, “that Iran, the victim of the Wiper attack, reverse-engineered or at least mimic'd it to create Shamoon.”

We won’t necessarily know more about the true reason for the attack against Aramco, but we might know more about the effectiveness of the attackers after 21:00 (GMT) tomorrow. An anonymous post on Pastebin yesterday warned Aramco, “we are going to make it, next week, once again, and you will not be able by 1% to stop us.” It specified 25 August, 21:00 GMT as the time.

What’s Hot on Infosecurity Magazine?