Throwback Attack: Hackers take advantage of the holidays to hit oil giant Saudi Aramco

An oil pump jack
Courtesy: CFE Media and Technology

The holidays may be a time for celebration, but families aren’t the only ones who see these festive occasions as the most wonderful time of the year. Hackers know that due to low staffing levels and other merry distractions, the holidays are one of the best times to strike. The Colonial Pipeline hack occurred over Mother’s Day weekend, meat processor JBS was hit over Memorial Day weekend and software developer Kaseya was hacked over the Fourth of July holiday.

Despite having no direct, credible threat, the FBI and Cybersecurity and Infrastructure Security Agency (CISA) recently issued a warning to remind both private and public sector organizations to remain vigilant about possible ransomware or other cyberattacks this holiday season.

“While we are not currently aware of a specific threat, we know that threat actors don’t take holidays,” CISA Director Jen Easterly said in a release. “We will continue to provide timely and actionable information to help our industry and government partners stay secure and resilient during the holiday season.”

One of the biggest cyberattacks in recorded history also took advantage of a holiday, when threat actors went after Saudi Aramco, one of the biggest oil companies in the world, in 2012. According to an article on CNN Business, 35,000 company computers were partially wiped or destroyed in the attack, and Saudi Aramco was forced to revert to pen and paper to keep the massive oil conglomerate running.

Shamoon malware

The Saudi Aramco attack was launched during the holy month of Ramadan, as many of the company’s employees were taking holiday time off. This was particularly nefarious timing, as it made it much less likely the virus would be discovered quickly and thus increased the chances of the attackers inflicting major damage. On Aug. 15, 2012, the few workers left manning the oil giant’s systems noticed anomalous behavior in their computers — some shut down on their own, many files disappeared and screens went dark, according to CNN Business.

A group of hackers calling itself the Cutting Sword of Justice claimed responsibility for the attack, saying they were retaliating against the al Saud regime for its crimes against humanity. U.S. intelligence services eventually pinned the attack on Iran.

“This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression,” the group said.

Despite the massive scale of the attack, which impacted 30,000 Saudi Aramco workstations, it started like so many others, with someone on the company’s information technology (IT) team clicking a bad link in a scam phishing email. It’s likely the hackers had launched the phishing attack and were in the company’s systems well before the strike was discovered in August 2012. They used a modular computer virus called Shamoon that exploited Microsoft Windows and quickly spread from the targeted computer to other systems on the network. Once a system was infected with the Shamoon virus, it compiled lists of files, uploaded them to the attacker and then erased them. It then overwrote the master boot record on the computer, rendering it unusable.

The Shamoon malware also used against Qatar’s RasGas oil company.

The Saudi Aramco response

The impact of the Shamoon virus on Saudi Aramco was swift and nearly debilitating. Chris Kubecka, a security advisor hired by Saudi Aramco to remediate the damage to offices in the Middle East, Africa and Europe, described the details of the attack at a 2015 Black Hat USA talk in Las Vegas.

To prevent spread of the virus, the company immediately pulled the plug on almost everything connected to a network. This meant office phones, computers and email systems were all dead. Standard work was done via fax and interoffice memo. While oil production continued apace, the company’s other services were knocked decades into the past, as they were forced to handle things like shipping, contracts and billing via pen and paper.

According to the CNN Business article, the company temporarily stopped selling oil to domestic gas tank trucks, but soon relented and started giving oil away for free to keep it flowing within Saudi Arabia. To get through the ordeal, Saudi Aramco allocated huge resources to hiring and purchasing.

“It was a massive army of IT people. I’ve never seen anything like that in my life,” Kubecka said to CNN Business.

The corporate giant also used a fleet of private aircraft and its massive resources to fly employees around the world to purchase every hard drive they could get their hands on so oil prices would not be impacted by speculation. According to CNN Business, the company paid higher prices to quickly obtain 50,000 hard drives, leaving behind a shortage for the rest of the world.

It took Saudi Aramco five months, and essentially an entirely new computer network, to get things back to normal. According to reports, the hackers behind this brazen cyberattack were never caught.




Keep your finger on the pulse of top industry news