Shamoon (2012)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date August 2012
Suspected Actor A group called 'Cutting Sword of Justice' claimed responsibility for the attack. Neither researchers nor officials have disclosed the names of the attackers involved. U.S. intelligence officials considered that the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim.[1]
Target The Shamoon virus was inserted into the networks of the state owned national oil company 'Saudi Aramco'.
Method The virus — called Shamoon after a word embedded in its code —was unleashed on 15 August 2012 by a a company insider with privileged access to Aramco’s network.

Instead of solely collecting information, the virus revealed its highly destructive nature as it rendered the infected computers unusable. Shamoon was designed to carry out two steps: it erased the data on the hard drives and replaced them with an image of a burning American flag; and it reported the addresses of infected computers back to a computer inside the company’s network. It also reported back on the number of files[2] and the list of files[3] that it destroyed. During that process, the erased files were overwritten with corrupted files so they could not be recovered. Shamoon was able to spread from an infected machine to other computers on the network, so that over 30.000 computers of Aramco were infected.

Purpose An online announcement of the attack seemed to suggest that the group saw the attack as an act of retaliation against the Al-Saud regime for the crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon and Egypt.
Result Over 30.000 computers at Aramco were rendered useless and had to be replaced. The virus erased data on three-quarters of Aramco’s corporate PCs, such as documents, spreadsheets, e-mails and other important files.

Aramco was forced to shut down the company’s internal corporate network, disabling employees’ e-mail and Internet access, to stop the virus from spreading.[1] According to Aramco, the core business of oil production and exploration was not affected by the attack, as they depend on isolated network systems unaffected by the attack.

Aftermath On 29 August 2012, the same attackers published a posting containing username and passwords of Aramco accounts and of Aramco CEO Khalid Al-Falih proving they still retained access to the company network. At the end of August 2012, Aramco published a statement saying that it managed to restore all the main internal network services.

Although described as one of the most destructive attacks on the business sector so far, none of its authors has been identified or caught. In 2016, a new variant of Shamoon, reportedly launched from Iran, struck multiple organizations in Saudi Arabia.[4]

Analysed in Scenario 03: Power grid
Scenario 10: Cyber weapons review
  1. 1.0 1.1 Nicole Perlroth, 'In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back', New York Times (23 October 2012).
  2. Dan Goodin, 'Mystery malware wreaks havoc on energy sector computers' Ars Technica (17 August 2012)
  3. 'Shamoon virus targets energy sector infrastructure' BBC (17 August 2012)
  4. Sean Gallagher, 'Shamoon wiper malware returns with a vengeance' Ars Technica (02 December 2016)