Saudi Arabia-based oil company Saudi Aramco said it has restored internal network services after about 30,000 workstations were infected earlier this month with an unknown piece of sabotage malware
The incident may be linked to the Shamoon virus, which researchers said has targeted other energy sector companies in the Middle East.
Though Saudi Aramco has yet to confirm whether it was impacted by Shamoon, which is a data-wiping trojan that overwrites computer files to render machines unusable, researchers have reason to believe this may be true – most notably, because Shamoon, also known as Disttrack, was discovered within a week of the Saudi Aramco attacks.
The company announced Sunday that its systems had been “cleaned and restored to service,” and employees resumed normal business operations on Saturday following the observance of the Muslim Eid holidays.
In a statement, Khalid Al-Falih, Aramco's president and CEO, said his company was not alone in being targeted by the virus. “Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems,” he said. “We will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack.”
To prepare for such threats, companies should expect the worst, Jeffrey Carr, founder and CEO of Virginia-based security firm Taia Global, told SC on Monday.
“Companies need to assume that they've already been breached,” said Carr, who has been briefed on the Saudi Aramco attack from a source who used to work there. “It's not realistic that they can stop an attacker from getting in, especially if it's a multinational corporation with operations in more than one country.”
Carr advised companies to segregate their most critical data from other files on the network.
“You can monitor internally who has access to files and how it was accessed," he said. "You can't do that when you have millions and millions of files on your network, but you can do it for the critical ones.”
Several groups have claimed responsibility for the attack on Aramco, including The Cutting Sword Justice, Arab Youth Group and “angry internet lovers. All have posted documents on Pastebin, a website where users can store text online. Some of the posted materials include IP addresses from the hacked servers and internet service router passwords.