Shamoon (2012)
[This page is under construction. Sources to include: https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-us.html]
| Date | August 2012 |
| Suspected Actor | A group called 'Cutting Sword of Justice' claimed responsibility for the attack. Neither researchers nor officials have disclosed the names of the attackers involved. U.S. Intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. |
| Target | The Shamoon virus was inserted into the networks of the state owned national oil company 'Saudi Aramco'. |
| Method | The virus — called Shamoon after a word embedded in its code —was unleashed on the 15th of August by a a company insider with privileged access to Aramco’s network.
Instead of solely collecting information, the virus revealed its highly destructive nature as it rendered the infected computers unusable. Shaman was designed to carry out two steps: It erased the data on the hard drives and replaced them with an image of a burning American flag and reported the addresses of infected computers back to a computer inside the company’s network. During that process, the erased files are overwritten with corrupted files so they cannot be recovered. Shamoon can spread from an infected machine to other computers on the network, so that over 30.000 computers of Aramco were infected. |
| Purpose | An online announcement of the attack seems to suggest that the group sees the attack as an act of retaliation against the Al-Saud regime for the crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon and Egypt. |
| Result | Over 30.000 computers at Aramco were rendered useless and had to be replaced. The virus erased data on three-quarters of Aramco’s corporate PCs, such as documents, spreadsheets, e-mails and other important files.
Aramco was forced to shut down the company’s internal corporate network, disabling employees’ e-mail and Internet access, to stop the virus from spreading[1]. According to Armco, the core business of oil production and exploration was not affected by the attack, as they depend on isolated network systems unaffected by the attack. |
| Aftermath | On the 29th of August the same attackers published a posting containing username and passwords of Armco accounts and of Aramco CEO Khalid Al-Falih proving they still retained access to the company network. At the end of August, Armco published a statement saying that it managed to restore all the main internal network services.
Although described as one of the most destructive attacks on the business sector so far, none of its authors has been identified or caught. |
| Analysed in | Scenario 10: Cyber weapons review |