Gulf virus attacks may be sabotage attempts

Viruses that badly affected computer systems at two major oil and gas companies in the Gulf appear to be deliberate attempts at sabotage, but preliminary analysis of the code doesn’t point to a state-sponsored attack, said Moscow cybersecurity firm Kaspersky Lab.

Both state-owned Saudi Aramco and Qatar gas exporter Ras Laffan Liquefied Natural Gas Company (RasGas) were hit last month by a virus believed to be called Shamoon. The companies said their core operations weren’t affected.

“The Shamoon malware is not at a level where nation-state involvement is the only plausible scenario,” Kaspersky senior researcher Roel Schouwenberg said. “There are some beginner-level bugs in the code which we wouldn’t typically associate with an elite-level team of state-sponsored programmers.”

According to an analysis by cybersecurity firm Symantec Corporation (SYMC), Shamoon is a destructive malware that corrupts files on a compromised computer and overwrites key operational systems in an effort to render a computer unusable.

Saudi Aramco, which has a total staff of about 56,066, saw 30,000 of its workstations affected by the cyberattack. It was forced to isolate all its electronic systems from outside access until it restored them and restricted its remote Internet access.

“This is clearly an act of sabotage,” Schouwenberg said. “We live in an era where cyberespionage is rampant. Sabotage isn’t necessarily too far removed from that.”

Aramco hasn’t named the bug, but the time stamp in the Shamoon malware was the same time listed in the statement on online hacking forum Pastebin about the attack, said Alex Gostev, Kaspersky’s chief security expert. RasGas said it had shut down part of its computer system since last Monday but didn’t give further details on the scale of computers affected by the bug.

Advertisement

A person familiar with the matter told Dow Jones Newswires last week that RasGas had been hit by the virus called Shamoon. The two firms had nothing to say about the source of the attack. Kaspersky Lab’s analysts said it wasn’t possible to identify the source or motivation of the attacks or if they could be related.

If they were the start of a new wave of so-called hacktivism, “that would be an extremely worrisome development”, Schouwenberg said. It would indicate that such groups had moved from fairly commonplace distributed denial of service attacks, in which hackers bring down websites by overwhelming them with requests for page views, to more advanced methods involving breaching and publishing databases, to damaging sabotage, he said.

The most-famous example of a virus that did infiltrate an industrial control network is Stuxnet, which damaged centrifuges Iranian uranium enrichment facilities in 2010.

Banque Saudi Fransi, the lender part-owned by France’s Credit Agricole, last week was the victim of Stuxnet cyberweapon that affected the company’s shared computer disc drives but left its operations unharmed, a person familiar with the matter said yesterday.

A spokesman for Banque Saudi Fransi declined to comment when contacted by Dow Jones Newswires. Both Aramco and RasGas said their oil and gas operations weren’t affected by last month’s attacks. Kaspersky Lab’s recent survey of more than 3,300 experts indicates that cyberthreats are likely to be the number one risk to business within the next two years.

source: Gulf Times