Wednesday, August 22, 2012

Was Iran Responsible for Saudi Aramco's Network Attack?

I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil.

The attackers who call themselves the "Cutting Sword of Justice" probably used Shamoon (Symantec's W32.Disttrack). It destroyed 2000 servers and affected business operations based upon this list of affected IP blocks. It looks like Iran tried to mimic the Wiper virus that was used against its oil ministry last April. Kaspersky called Shamoon a copycat of Wiper. The differences were:
The original “Wiper” was using certain service names (“RAHD...”) together with specific filenames for its drivers (“%temp%\~dxxx.tmp”) which do not appear to be present in this malware. Additionally, the original Wiper was using a certain pattern to wipe disks which again is not used by this malware.
It's also important to note that Wiper was not Flame; that they are two distinct and separate pieces of malware and that the investigation of Wiper led to the discovery of Flame. Since none of the software security companies have a complete copy of Wiper, it makes sense to me that Iran, the victim of the Wiper attack, reverse-engineered or at least mimic'd it to create Shamoon. Kaspersky Labs noted that the start date of the Aramco attack was August 15 11:08 AM (Arabia Standard Time - AST) per the attackers first pastebin posting. This exactly corresponded with a date and time found in the code "15th August 2012 08:08 UTC". The difference between UTC and AST is +3 hours.

Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker.

I understand that Aramco has been vigorously investigating the attack to determine how their network was compromised and that some firings of employees and contractors have already occurred. I've asked Saudi Aramco's public affairs office for a comment but so far no one has returned my call.

UPDATE (23AUG12): I've received new information from knowledgable sources that the attack vector for delivery of the worm was via a USB stick inserted into a workstation at one of Aramco's global offices (not in Saudi Arabia). Further, the timing of the attack was carefully chosen to be one hour before the end of the work day which was the end of the month of Ramadan and the start of the Eid holiday.

RELATED:
Saudi Aramco's Security Nightmare: Poor Design, Corrupt Contractors, and More
Operations Security at Saudi Aramco? Zero.

No comments:

Post a Comment