Pierluigi Paganini February 09, 2020

Saudi Aramco, the Saudi Arabian national petroleum and natural gas company, revealed that it has seen an increase in attempted cyber attacks since the Q4 2019.

The energy industry is under attack, Saudi Aramco announced it has seen an increase in attempted cyber attacks since the final quarter of 2019. The data is alarming, even if the petroleum giant confirmed to have successfully countered them.

“Overall there is definitely an increase in the attempts of (cyber) attacks, and we are very successful in preventing these attacks at the earliest stage possible,” Khalid al-Harbi, Saudi Aramco chief information security officer, told Reuters in a telephone interview.

“The pattern of the (cyber) attacks is cyclical, and we are seeing that the magnitude is increasing, I would suspect that this will continue to be a trend.”

Al-Harbi expressed concerns about the growing trend and for the increase of the magnitude of the attacks. Saudi Arabia’s energy sector has been the target of several cyber attacks in the past.

In August 2012, more than 30,000 systems at Saudi Aramco were infected with the Shamoon malware.

On December 2016, security experts observed a new wave of attacks leveraging on the Shamoon malware. The malware experts from Palo Alto Networks and Symantec both reported an attack on a single Saudi company.

The new variant of Shamoon, so-called Shamoon 2, can rewrite the MBR on affected computers with an image of a three-year-old Syrian boy named Alan Kurdi that lay dead on a Turkish beach.

“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” reported Symantec.

In January 2017, researchers at Palo Alto Networks discovered a new strain of the Shamoon 2 malware that was targeting virtualization products.

The researchers at IBM’s X-Force Incident Response and Intelligence Services (IRIS) believe Shamoon malware is a pivot element in information warfare between Saudi Arabia and Iran.

The malware experts identified servers used to deliver Shamoon, they have broken onto the server used by the attackers and gathered more information to study the threat and its attack chain.

In December 2017, security firms FireEye and Dragos reported the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor, they only revealed that it has been used in attacks aimed at an unnamed critical infrastructure organization and caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

Experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Saudi Aramco is one of the most important oil supply worldwide, its production covers 10% of the global oil supply.

Harbi also revealed that Saudi Aramco personnel was targeted with an Emotet campaign, but let me add that in this case there are no public news of a targeted attack employing the popular malware that has been distributed globally via malspam campaigns.

Harbi highlighted the difficulty in attributing the attack to a specific threat actor.

Pierluigi Paganini

(SecurityAffairs – Saudi Aramco, Saudi Arabia)

[adrotate banner=”5″]

[adrotate banner=”13″]