Search This Blog

Thursday, August 23, 2012

Shamoon the Malware in Aramco Attack?

While researchers continue to dig into the Shamoon malware, looking for its origins and a complete understanding of its capabilities, a group calling itself the Cutting Sword of Justice is claiming responsibility for an attack on the massive Saudi oil company Aramco, which some experts believe employed Shamoon to destroy data on thousands of machines. 

The attack on Aramco occurred on August 15, taking the main Web site of Saudi Aramco offline. Officials at the company said that the attack affected some of the company's workstations, but did not have any effect on oil production or on the main Aramco networks. The attackers claiming responsibility for the incident dispute that, saying that they deployed a destructive piece of malware that erased data on infected machines and then made them unusable.
"As previously said by hackers, about 30000 (30k) of clients and servers in the company were completely destroyed. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job. Hackers published the range of internal clients IPs which were found in the internal network and became one of the phases of the attack target," the group said in a post on Pastebin shortly after the attack.
The first indications that the attack might be connected to the Shamoon malware came in the group's original Pastebin post, which included a start time for the attack on Aramco, 11:08 a.m. local time in Saudi Arabia on August 15. Researchers who dissected Shamoon found that the same time was hard-coded into the Shamoon malwareas a kind of checkpoint. The attackers claiming responsibility for the operation said that the attack ended a few hours after it began, but that plenty of damage was done.
  1. "In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime. In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company. The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours," the post says.