You are Home   »   News   »   View Article

Sudden IT disruption (virus) hits Saudi Aramco (Aug 15th)

Wednesday, September 5, 2012

Saudi Aramco issued a statement on August 15th to say that it had isolated all of its electronic systems from outside access as "an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network."

"The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network," it said.

"The interruption has had no impact whatsoever on any of the company's production operations," it said.

"Saudi Aramco IT experts anticipate resuming normal operations of its network soon."

Meanwhile IT security experts have warned (Aug 16th) about a new virus targetting infrastructure in the energy industry called "Shamoon". There has been no confirmation that Saudi Aramco was hit by Shamoon but Symantec stated that it "was being used in specific targeted attacks against at least one organization in the energy sector."

There are three stages to the attack, one to install some components on the computer, which Symantic calls "dropper", another to destroy the boot record, which Symantic calls "Wiper", and another to report back to a server computer, called "reporter".

The virus names one of the folders "Shamoon" - C:ShamoonArabianGulfwiper eleasewiper.pdb

It was installed on PCs via a "spear-phishing e-mail", an e-mail sent to specific individuals, with a malicious document attached.

The "wiper" overwrites and wipes files in the master boot record of the computer, which makes the computer unusable. By messing around with the master boot record, Shamoon might be trying to cover up evidence of something which has already been done.

The "reporter" sends the names of files it has overwritten to another machine on the compromised company network, with IP address

Seculert says it looks like the attacker gains control of one machine on the internal network connected to the internet, and uses that as a server, to infect other internal machines, which might not be connected to the internet.

Seculert report

Symantec report

Kaspersky lab report

Associated Companies
» Aramco

comments powered by Disqus


To attend our free events, receive our newsletter, and receive the free colour Digital Energy Journal.


Latest Edition Jul-Aug 2022
Aug 2022

Download latest and back issues


Learn more about supporting Digital Energy Journal