Details of cyber attack against Saudi energy giant

A cyberattack wiped out data on three-quarters of Aramco’s PCs

From Nicole Perlroth, New York Times:  The hackers picked the one day of the year they knew they could inflict the most damage on the world’s most valuable company, Saudi Aramco.

On Aug. 15, more than 55,000 Saudi Aramco employees stayed home from work to prepare for one of Islam’s holiest nights of the year — Lailat al Qadr, or the Night of Power — celebrating the revelation of the Koran to Muhammad.

That morning, at 11:08, a person with privileged access to the Saudi state-owned oil company’s computers, unleashed a computer virus to initiate what is regarded as among the most destructive acts of computer sabotage on a company to date. The virus erased data on three-quarters of Aramco’s corporate PCs — documents, spreadsheets, e-mails, files — replacing all of it with an image of a burning American flag.

United States intelligence officials say the attack’s real perpetrator was Iran, although they offered no specific evidence to support that claim. But the secretary of defense, Leon E. Panetta, in a recent speech warning of the dangers of computer attacks, cited the Aramco sabotage as “a significant escalation of the cyber threat. . . .”

Immediately after the attack, Aramco was forced to shut down the company’s internal corporate network, disabling employees’ e-mail and Internet access, to stop the virus from spreading.

It could have been much worse. An examination of the sabotage revealed why government officials and computer experts found the attack disturbing. Aramco’s oil production operations are segregated from the company’s internal communications network. Once executives were assured that only the internal communications network had been hit and that not a drop of oil had been spilled, they set to work replacing the hard drives of tens of thousands of its PCs and tracking down the parties responsible, according to two people close to the investigation but who were not authorized to speak publicly about it.

Aramco flew in roughly a dozen American computer security experts. By the time those specialists arrived, they already had a good handle on the virus. Within hours of the attack, researchers at Symantec, a Silicon Valley security company, began analyzing a sample of the virus. . . .

After analyzing the software code from the Aramco attack, security experts say that the event involved a company insider, or insiders, with privileged access to Aramco’s network. The virus could have been carried on a USB memory stick that was inserted into a PC. . . .

American intelligence officials blame Iran for a similar, subsequent attack on RasGas, the Qatari natural gas giant, two weeks after the Aramco attack. They also believe Iran engineered computer attacks that intermittently took America’s largest banks offline in September, and last week disrupted the online banking Web sites of Capital One and BB&T. . . .

The finger-pointing demonstrates the growing concern in the United States among government officials and private industry that other countries have the technology and skill to initiate attacks. “The Iranians were faster in developing an attack capability and bolder in using it than we had expected,” said James A. Lewis, a former diplomat and cybersecurity expert at the Center for Strategic and International Studies. “Both sides are going through a dance to figure out how much they want to turn this into a fight. . . .”

The attack, intelligence officials say, was a wake-up call. “It proved you don’t have to be sophisticated to do a lot of damage,” said Richard A. Clarke, the former counterterrorism official at the National Security Council. “There are lots of targets in the U.S. where they could do the same thing. The attacks were intended to say: ‘If you mess with us, you can expect retaliation.’ ” 

Image: afp%2010%2025%2012%20Aramco.jpg