Aramco cyberattack

In previous episodes of the Sentryo Files, we uncovered the details of some of the most emblematic attacks that have hit the industrial sector: connected car, water treatment plant, etc. This article takes a look back at the cyberattack on Aramco oil company in 2012.

Aramco oil company, victim of the largest cyberattack ever waged

In 2012, Aramco, a Saudi Arabian oil company, was the victim of an unprecedented cyberattack. A virus was deployed on the network most likely because of an employee error. As a result, 30,000 workstations and 2,000 servers lost access to all their files and company operations were affected for almost 5 months (source: New York Times).

What really happened during this attack?

This cyberattack was launched on August 15, 2012. This date is symbolic as 55,000 employees of the oil company Aramco were preparing for one of the most sacred nights in Islam: Laylat al-Qadr, the night when the first verses of the Quran were revealed to Muhammad.

That same morning, an employee with an administrator’s account most likely clicked on a link in a SCAM message (phishing). This action deployed the virus Shamoon which deleted the majority of data (documents, emails, etc.) and replaced them with the same image: a burning American flag. The virus spread to around 30,000 workstations and 2,000 servers.

A group by the name of “Cutting Sword of Justice” claimed responsibility for this cyberattack on Pastebin. They decided to attack the oil company under the pretext that it was financing the Al Saud regime which was blamed for supporting crimes and other atrocities in various countries including Egypt and Syria.

What were the consequences of this cyberattack?

Indeed, a cyberattack of this size leads to consequences. For the oil company, the order, stock, delivery and billing management systems were the most seriously affected. Officially, the only activity that was not affected by this attack was oil extraction given that the SCADA network was separate from the rest of the networks.

In the end, 5 months after the attacked launched by the Shamoon virus, Aramco oil company put its system back online with a new, highly secure IT network and a team specialized in cybersecurity.

How can we prevent or counter this type of malicious act?

The first measures we can take to prevent an attack like the one led by the virus Shamoon are the following:

  • Set up intrusion detection systems;
  • Segment the network according to level of sensitivity (malware can spread quickly on flat networks);
  • Raise awareness among employees about security;
  • Set up a business continuity plan by specifying the use of replacement material.

Companies must also be aware that cyberattacks can come from the outside as well as the inside. Therefore, companies must learn how to set up in-house protection against cyberattacks. Even more so when we see the impact that a simple yet contaminated USB flash drive can have on the industrial environment.

Go further
Take a look at all the episodes of The Sentryo Files: Industries vs. Cyberattacks. Discover the hijacking of a connected car or the analysis of the attack of a water treatment plant in 2015.

Sources: article published in the New York Times on October 23, 2012 and the reports drafted by the SCADA work group of the French Information Security Club (CLUSIF) in 2017.