Connecting the Dots After Cyberattack on Saudi Aramco
In a statement
on Sunday, Khalid al-Falih, Aramco’s chief executive, said Aramco had
restored its main internal network services after they were “impacted on
Aug. 15, 2012, by a malicious virus that originated from external
sources and affected about 30,000 workstations.”
To support their claim, they posted blocks of what they claimed were the infected I.P. addresses to Pastebin,
a Web site often used by hackers to post data from such attacks. The
group said it had attacked the government-owned oil company in
retribution for what it said was the Saudi government’s support for
“oppressive measures” in the Middle East.
The attack was the first
significant use of malware by so-called hacktivists — hackers who
attack for political reasons rather than for profit. Hacktivist groups
like LulzSec and Anonymous typically recruit volunteers to flood a Web
site with traffic until it goes offline. In this case, hackers used a
malicious virus that was intended to inflict more harm.
researchers at Symantec, the computer security firm, said that hours
after the attack, they received a sample of the virus they believe was
responsible. The virus, named Shamoon after a word in its code, was
designed to overwrite critical files with an image of a burning American
flag. The researchers discovered instructions in Shamoon’s code, what
is known as a “kill timer,” to attack at 4:08 a.m. on Aug. 15 — the same
time hackers said they had destroyed Saudi Aramco’s computers.
researchers said that they had received the sample of malware from an
outside security researcher who discovered it on a computer “in the
Middle East.” They declined to identify that researcher or specify the
country or organization where the virus was found. But Vikram Thakur, a
senior researcher with Symantec’s response team, said it was “extremely
likely” that Shamoon was used in the attack on Saudi Aramco.