A group of hackers calling themselves the "Cutting Sword of Justice" has once again raised the cybersecurity stakes by infecting approximately 30,000 computers run by Saudi Aramco, the world's largest oil company. The scope of the attack and profile of the target are significant in and of themselves, but perhaps more interesting are the unique tactics employed by the executors.
A surprising breakthrough
The Saudi Arabian government-owned oil company learned earlier this month that it had been infiltrated by a malicious virus originating from "external sources" and affecting approximately three-quarters of its computer workstations.
"We addressed the threat immediately, and our precautionary procedures, which have been in place to counter such threats, and our multiple protective systems, have helped to mitigate these deplorable cyberthreats from spiraling," Saudi Aramco CEO Khalid Al-Falih wrote in a statement to stakeholders.
Although Saudi Aramco was able to isolate its industrial control systems and ensure production processes were unaffected by the virus, Al-Falih's confirmation gave credence to claims Cutting Sword of Justice members were making across Internet forums in the days leading up to the announcement. According to the New York Times, hackers posted sets of infected I.P. addresses allegedly used by Saudi Aramco employees and suggested that the attack was in response to the Saudi government's support for "oppressive measures" employed in countries across the Middle East.
Still, few seemed ready to believe a relatively unheralded group of cybercriminals could compromise the systems of the world's largest oil company. The direct application of a virus stands in stark contrast to the distributed denial of service (DDoS) tactics traditionally favored by politically motivated hackers.
"Hacktivists rarely use malware," Imperva security director Rob Rachwald told the Times. "The fact that they used malware is a spooky trend. If other hacktivists jump on this it could be very, very dangerous."
As Internet security experts dig deeper into the incident, many are suggesting that the malware used in the Saudi Aramco attack is an incarnation of the Shamoon virus.
Shamoon popped up on the cybersecurity radar in the days between the Cutting Sword of Justice attack and the company's confirmation, though experts did not draw the connection at the time. According to Computerworld, the malware can steal or wipe computer data before overwriting master boot records to render the machine unusable. Interestingly enough, hackers seem to have little desire to cloak this advanced exploit in any elaborate disguises. Instead, the virus is embedded in email attachments associated with simple spear phishing campaigns.
The telltale sign that the Saudi Aramco infiltration was the handiwork of Shamoon, according to PCWorld, is its so-called "kill timer." After analyzing the virus's trigger mechanism, security researchers found that it was stamped with the exact time and date specified by Cutting Sword of Justice members in their boastings hours ahead of the oil company incident.
Security researchers may have a baseline view of how the attack was executed, but questions remain as to who was really behind the strike and if there is more to come. While some are labeling the incident as the first significant use of malware by hacktivists, others are suggesting that only state-sponsored programmers could pull off something of this magnitude.
Israel and Iran have been the primary objects of speculation, primarily because of their involvement in Stuxnet and DigiNotar incidents, respectively. But according to PCWorld, there are several errors found in the Shamoon coding that experts insist would not have been left behind by groups capable of previously producing cyberweapons.
Data Security News from SimplySecurity.com by Trend Micro