Shamoon was an external attack on Saudi oil production

Shamoon struck Aramco in August of this year. Aramco was forced to shut its internal network for more than a week, although the website came back on line within a couple of days. Shamoon, sometimes considered to be a hackers’ copy of the more likely state-sponsored Wiper malware, infected 30,000 of Aramco’s computers, wiping their hard drives. It did not, however, affect oil production which is controlled from separate networks.

At the time there was considerable conjecture on how the attack had been effected. Some suggestions were that it must have involved insiders. Others that it was a state-sponsored attack from Iran. A group called Cutting Sword of Justice claimed responsibility for the attack, saying that its motives were political and citing Saudi ‘crimes and atrocities’ in countries such as Syria and Bahrain.

Now Maj. Gen. Mansour al-Turki, a spokesman for the Saudi Interior Ministry, has said that no insiders were involved, and that the attackers were an organized group operating from countries on four continents. He said he could give no further details because the investigation is continuing. Abdullah Al Sa’adan, Aramco’s vice president for corporate planning, said, “The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals.” 

Gulf News reported this morning that Al Sa’adan added, “Not a drop of oil was lost and the company was able to restore productivity in record time.” The restoration, and the cost, was limited to the replacement of affected hard disks, and the time spent by IT staff in restoring connectivity – a process that apparently took less than two weeks.

The attack is believed to have been instigated via spear-phishing against one or more Aramco staff. Al Turki said that he expects such cyber attacks to increase, and as a result, the kingdom is establishing a national centre to foil future attacks. “We are trying to upgrade our capabilities to the level required to combat such incidents,” he said.

What’s hot on Infosecurity Magazine?