By Richard Sale
and Gregory Hale
A new virus named Shamoon hit oil giant Saudi Aramco and Qatar’s RasGas, the second largest LNG producer in the world, said sources at the CIA.
“The virus hit Aramco and Qatari RasGas. In both cases, it knocked out computer workstations and corporate web sites,” the sources said.
The sources said it did not affect production or cargo operations.
Shamoon, or W32.DistTrack, is an information-stealing malware that also includes a destructive module, according to a report on ICS-CERT.
Shamoon renders infected systems useless by overwriting the Master Boot Record (MBR), the partition tables, and most of the files with random data, the report said. Once overwritten, the data are not recoverable.
According to report with Symantec, Shamoon has three primary functional components:
1. Dropper—the main component and source of the original infection. It installs a number of other modules.
2. Wiper—this module is responsible for the destructive functionality of the malware.
3. Reporter—this module is responsible for reporting infection information back to the attacker.
After the initial infection, Shamoon spreads via network shares to infect additional machines on the network. Symantec first detected Shamoon August 16, and estimates only few infections exist worldwide (less than 50).
Because of the highly destructive functionality of the Shamoon “Wiper” module, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations vary, depending on the type and number of systems impacted.
ICS-CERT and US-CERT encourage organizations to:
• Update antivirus definitions for detection of the Shamoon (DistTrack) malware.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Always keep patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Exercise caution when using removable media, including USB drives.
• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
• Place control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
RasGas and Saudi Aramco both suffered hits in the past few weeks
Saudi Aramco’s main internal networks fell victim to an attack August 15 and networking experts have now cleaned and restored the system and it is up and ready for service after a malicious virus infected about 30,000 of its workstations.
Saudi Aramco’s production plants and primary enterprise systems of hydrocarbon exploration and production remained unaffected as they operate on isolated network systems, officials said.
The company also said its exports, sales, distribution operations, and financial and human resources systems, and databases went unaffected by the attack.
The company’s precautionary procedures, which went into affect to counter such threats, and its multiple protective systems, helped to mitigate the cyber threats from spiraling, said Saudi Aramco President and Chief Executive Khalid Al-Falih.
“Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack,” Al-Falih said.
RasGas Company Ltd is a liquefied natural gas (LNG) producing company in Qatar. It is the second-biggest LNG producer in the world after Qatargas. RasGas operates seven LNG trains located in Ras Laffan Industrial City.
RasGas has found a virus in its office computer network, two weeks after the world’s biggest oil producer in neighboring Saudi Arabia was hacked into.
“The company’s office computers have been affected by an unknown virus … It was first identified on Monday,” RasGas, one of two Qatari LNG producers, said in a statement.
“Operational systems both onsite and offshore are secure and this does not affect production at the Ras Laffan Industrial City plant or scheduled cargoes.”
It was not clear whether RasGas was the victim of the same malicious software or hacker group that targeted about 30,000 desktop PCs at Saudi Aramco on Aug. 15.
Two weeks on, the company took its website www.aramco.com offline to limit options for further attacks.
RasGas’ website and email servers have also been off this week, with emails to the company bouncing back as they do from Aramco. A company spokeswoman was unable to say whether this was due to RasGas shielding its electronic systems from more intrusions or the effect of the virus itself.
A spokesman for RasGas parent Qatar Petroleum said the group company had not been affected by any virus, while sister company Qatargas was unavailable for comment. Emails from both those companies appeared to be working normally last Thursday.