Shamoon Wiper: The most damaging corporate attack - Did you miss it?

By Norman Johnson
 
Stuxnet was probably the most damaging attack to a government's critical infrastructure to date. While we still don't know the full extent of the damage, many of the deep mysteries such as "who did it? " were recently revealed in a book based on inside sources within the Obama administration. The Stuxnet story reads like a Tom Clancy high-tech, nation-changing mystery novel, opening our eyes to what was previously thought almost impossible, such as setting up a communication link across a high-security, air-gapped network or the physical destruction of critical infrastructure. While Stuxnet represented a cyber threat at a new level – possibly even a weapon of mass destruction – we also learned that significant resources – 10s of millions of dollars and many years – were required for the development, testing and operation. Stuxnet changed more than the sophistication of the threat thought possible, we could no longer claim that cyber threats are fundamentally asymmetric, where a lone individual without attribution and with minimal resources can cause major damage. The cybersecurity community began to argue that nation-state resources are required to at least initially create cyber weapons of mass destruction, similar to other weapons of mass destruction. All of a sudden the cybersecurity world seemed to make a bit more sense where there is parity between the effort required for to create a devastating threat and the effort to protect against them.
 
Unfortunately, that comfort was pretty much lost on August 15, 2012 with Shamoon Wiper virus attack on the Saudi Arabian Oil Co. (Aramco), the largest state-owned crude oil exporter. Shamoon attack is considered among the most damaging direct attacks against any corporate information network - it wiped about 30,000 hard disks on desktops and servers, about 75% of the Aramco's corporate workstations. Part of the success of the virus is attributed to picking the one day of the year when the most Aramco employees (about 55,000) were at home preparing for one of Islam's holiest nights of the year — Lailat al Qadr, minimizing the detection or assessment of the attack severity.
 
Two months later, Aramco employees continue to feel the impact of the attack with lack of access to corporate emails and the internal network. Although Shamoon was unquestionably a major cyber attack, the extent of the damage was limited to the corporate information network, because the Aramco oil production and operations is on an isolated network. All agree that the attack could have been much worse if it had targeted the production infrastructure, similar to the Stuxnet attack, which in turn could have triggered worldwide price increase of oil and secondary economic repercussions. Instead the most damaging attack to a government's critical infrastructure to date barely made it into Western popular press.
 
The attribution of the attack is still controversial. American defense and intelligence officials, notably Leon Panetta, U.S. Secretary of Defense, say the perpetrator was Iran, but offering no specific evidence to support that claim, while security researchers argue it was a lone Saudi dissident with inside information and access. Aramco officials are being silent about the attack, but sources say Saudis have a suspect in custody that injected the virus using a USB stick while logged on the originating host and presumably also extracted in person the progress of the attack from an isolated internal host that collected IPs of infected hosts.
 
Despite the obvious success of the attack, a detailed analysis of the virus by Dmitry Tarakanov of Kaspersky Lab observed that the malware shares nothing of the coding, sophistication or elegance of Stuxnet/Flame/Duqu super-malware. For example, the wiper approach is clumsy and crude, compared to the approach used in the Flame Wiper malware, and was copied from online resources. And there are naive fatal programming errors that limited some main functions, which further suggest haste and/or inexperience. These and other artifacts left researchers to conclude that the job was "quick and dirty. " Kaspersky Lab concludes, "We've got other clues that people behind creating the Shamoon malware are not high-profile programmers and the nature of their mistakes suggests that they are amateurs albeit skillful amateurs as they did create a quite practicable piece of self-replicating destructive malware. " U. S. officials say these were intentionally done to hide the true perpetrator, and the controversy continues
 
While it may take years to know who is responsible for the Shamoon attack, we do know that a relatively unsophisticated malware, coupled with insider access, had a significant and lasting impact on the world's largest company in the global oil production and exportation critical infrastructure. And it could have been much worse. And because the Aramco information hosts and network are based on current Western systems - with few limits on Aramco funding to protect the networks and known threats wanting to attack the systems, it reasonable to conclude that the U. S. critical infrastructures and companies are equally vulnerable. So unfortunately, we are back to the pre-Stuxnet assessment that critical infrastructures, including newcomers such as financial networks, are deeply vulnerable to skilled amateurs. And we do not have to invoke the sophistication of the super-malware like Stuxnet to motivate the urgency of addressing the asymmetric cyber threat.