Shamoon, Saudi Aramco, And Targeted Destruction

Still no definitive connection between Shamoon and Saudi Aramco breach, but new clues emerge

The mystery of the data-destroying targeted attack against a Middle East oil organization with the so-called Shamoon malware is still unfolding, as security experts discover more clues, and a self-professed group of hacktivists claims responsibility for downing machines at Saudi Aramco with the very same malware.
Multiple Pastebin posts on the attacks have emerged, including ones attributed to the so-called Arab Youth Group as well as the Cutting Sword Of Justice, each post basically claiming to have hit Saudi Aramco in protest. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job,
one Pastebin post said
, also claiming to have completely destroyed 30,000 clients and servers at the oil company. A
post signed by the Cutting Sword Of Justice
said the attacks were against the Al-Saud regime, and that the Aramco hack was the first step in operations against what it considers tyranny and oppression.
Symantec
last week revealed its findings
on Shamoon, a targeted attack thats all about total annihilation of data, not theft like other targeted attacks. Symantec still wont name the actual victim of the attack, only that its an energy-sector company in the Middle East. Meantime, Saudi Aramco last week announced that it had been hit by a virus that led to the shutdown of many of its internal systems. The company is Saudi Arabias national oil company and is considered one of the largest in the world.
Researchers at Kaspersky Lab, meanwhile, have spotted a time correlation between the Aramco attack and the date and time found in the Shamoon malcode on Aug. 15. We can confirm that#Shamoon kill-timer is the same (08:08 UTC) as announced in anons statement
here
, Aleks Gostev, chief security expert for Kaspersky Labs Global Research and Analysis Team, said in a tweet this morning. Kaspersky provided more detail on Shamoons inner workings
in a blog post
.
Neither Kaspersky nor Symantec would go as far as to confirm that Saudi Aramco was hit by the Shamoon attackers, however.
Aviv Raff, co-founder and CTO at Seculert, says he cant confirm the Shamoon-Saudi Aramco connection, either. The timing and malware behavior look the same, but this is not hard evidence, Raf says. Also, the IP address, 10.1.252.19, we saw in the malware samples we analyzed is not in the list on the Pastebin.
Meanwhile, just who the attackers are that have been posting and posturing on Pastebin claiming to be behind the Shamoon malware and to have hacked Saudi Aramco, has been debated. Were they pure hacktivists as they claim? Or hired guns for Iran, as Jeffrey Carr, CEO of Taia Global, believes?
Carr confirmed his suspicions with
Dark Reading
that Iran may have commissioned these attacks by the hacker group or groups.
Ive heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramcos network was an Iranian operation to discourage Saudi Aramco from increasing its oil production to compensate for Irans decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdoms oil minister pledged to boost production if there was a demand for more oil, Carr wrote in
a blog post today
.
Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker, Carr says.
[ Deja vu all over again as Iranian government-owned systems reportedly targeted by a worm. See
Iran: Oil Industry Hit By Malware Attack
. ]
Darin Andersen, vice president and general manager for Norman North America, says his firm cant confirm a link between the Arab Youth Group/Sword of Justice and Shamoon, but there may well be one, albeit a bit circuitous: I am also not convinced 100% that there is not a state tie here. What better way to cover your tracks, Andersen says.
Attempts to reach Saudi Aramco have been unsuccessful, but the oil company did post a statement on its website last week confirming a virus attack on its PCs, noting that its production systems had not been affected. The oil company isolated all its electronic systems from outside access as a precaution,
the statement said
.
So just how did the attack begin? Seculert says evidence indicates it was a two-stage attack that began with the perpetrators wresting control of a machine at the targeted organization and using it as a proxy to the command-and-control server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet, Seculert said in
a blog post
. Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Shamoon, Saudi Aramco, And Targeted Destruction