Saudi oil behemoth Saudi Aramco confirmed yesterday (Aug. 27) that roughly 30,000 computers had been infected with malware Aug. 15, corroborating the claim of the hacking collective known as Cutting Sword of Justice. The hackers had said the attack against "the largest financial source for Al-Saud regime" was a political one.
In an announcement on its website, Saudi Aramco said an infection of malicious and destructive malware had forced it to take all of its networked computers offline but did not affect oil production or any other essential systems and functions.
"The workstations have since been cleaned and restored to service," Aramco said.
The company remained mum as to whether or not data was destroyed or stolen. But, based on a Pastebin post yesterday that included the corporate email and password of Saudi Aramco's president and CEO, Khalid Al-Falih, it is likely the hackers made off with something.
The hackers had announced the time of the attack in advance, in an Aug. 15 Pastebin post.
Based on a timestamp that matches the time the hackers had announced, researchers believe a new piece of malware, known as Shamoon, had been used. Unlike most pieces of malware, which are designed to steal information in secret, Shamoon erases everything as it transmits it to a remote server, including the master boot record, making it impossible even to turn the computer on.
The proxy server's IP address did not show up in the Pastebin dump of infected PCs, but this could have been intentionally omitted from the dump by the hackers, according to Aviv Raff of the malware detection service Seculert, as cited on a Kapersky Labs' Threatpost security blog.
Cutting Sword of Justice described the attack as "a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression."
