One or more insiders with high-level access may have assisted the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company, Saudi Aramco, last month, according to a published report.
The attack using a computer virus known as Shamoon against the world’s biggest oil company, Saudi Aramco, is one of the most destructive cyber strikes conducted against a single business.
Shamoon spread through the company’s network and wiped computers’ hard drives clean. Saudi Aramco said office computers suffered damage and the attack did not affect systems software that might hurt technical operations.
The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country that banned open dissent.
“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination in the published report.
Hackers from a group called “The Cutting Sword of Justice” claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco’s computers, and have threatened to release secrets. No one has published any documents so far.
In addition to hitting Saudi Aramco, Shamoon also struck Qatar’s RasGas, the second largest LNG producer in the world, said sources at the CIA in an ISSSource report.
“The virus hit Aramco and Qatari RasGas. In both cases, it knocked out computer workstations and corporate web sites,” the sources said.
Saudi Aramco declined to comment. “Saudi Aramco doesn’t comment on rumors and conjectures amidst an ongoing probe,” it said.
The hacking group that claimed responsibility for the attack described its motives as political.
In a posting on an online bulletin board the day they wiped the files, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain.
Saudi Aramco, which supplies about a tenth of the world’s oil, has hired at least six firms with expertise in hacking attacks, bringing in dozens of outside experts to investigate the attack and repair computers, the sources said in the published report.
According to analysis of Shamoon by computer security firm Symantec, the way the virus gets into networks may vary, but once inside it tries to infect every computer in the local area network before erasing files to render PCs useless.
“We don’t normally see threats that are so destructive,” Liam O Murchu, who helped lead Symantec’s research into the virus, said. “It’s probably been 10 years since we saw something so destructive.”
The state-run oil company, whose 260 billion barrels of crude oil alone would value it at over 8 trillion dollars, or 14 times the market value of Apple Inc., appeared well protected against break-in attempts over the Internet, according to people familiar with its network operations.
Yet those sources say such protections could not prevent an attack by an insider with high-level access.
The design of Shamoon is to attack ordinary business computers. It does not belong to the category of sophisticated cyber warfare tools, like the Stuxnet virus that attacked Iran’s nuclear program in 2010 – which target industrial control systems and can paralyze critical infrastructure.