Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Attack Knocks Offline Saudi Aramco

Posted by timothy on from the just-communicate-with-oil dept.

wiredmikey writes "Saudi Aramco, Saudi Arabia's national oil company and the largest oil company in the world, confirmed that is has been hit by a cyber attack that resulted in malware infecting user workstations and forcing IT to kill the company's connection to the outside world. '..An official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network,' the company wrote in a statement. This incident follows an attack on systems at the National Iranian Oil Company back in April, when a virus was detected inside the control systems of Kharg Island oil terminal, which also resulted in the company taking its systems offline. In response to continued cyber attacks against its networks and facilities, Iran earlier this month said it plans to move key ministries and state bodies off the public Internet to protect them from such attacks."

67 comments

  1. When I was by Dyinobal · · Score: 4, Interesting

    When I was a Jr IT Admin, and our systems got infected a some Malware, or a worm we didn't call it a cyber attack, we just bitched about it and fixed the problem and wondered who the hell opened the attachment they got in their email.

    1. Re:When I was by Nrrqshrr · · Score: 4, Funny

      But then how did you blame the Zionist lobbies?

    2. Re:When I was by Krneki · · Score: 4, Interesting
      There is a key difference.

      You got infected by a generic virus. In this case it seems the attack was specifically designed to target this company.

      On a side note. Let me guess, another Windows IT infrastructure.

      --
      Love many, trust a few, do harm to none.
    3. Re:When I was by Trepidity · · Score: 1

      That's not clear from what's being reported here. The summary mentions a facility-specific attack on an Iranian oil terminal, but from the description this Saudi virus infection just seems to be an ordinary infection of a bunch of PC workstations.

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    4. Re:When I was by camperslo · · Score: 1

      These sorts of attacks go well beyond an inconvenience on a desktop, potentially affecting physical operations. It seems like the media doesn't know enough to dig deeper when something goes wrong.

      Examples of media not doing investigative journalism:
      No reports that I could find mentioned the possiblity of a cyber event, or solar flares and the arriving CME as possibly affecting power in India recently. They were quick to blame capacity, even though the initial outage struck at about 2 AM, which is not at peak demand.

      Poop spills in California
      http://www.fresnobee.com/2012/08/01/2932799/reedley-sewage-leaked-for-10-hours.html

      "alert system" sure sounds like control system to me. And two of them were affected at once, not typical for a hardware problem.

      http://www.keyt.com/news/local/san-luis-obispo-county/Sewage-Spill-Dumps-600-Gallons-into-the-Ocean-163635726.html

      And the Richmond refinery near San Francisoc had problems around the same time.

    5. Re:When I was by Anonymous Coward · · Score: 0

      Getting infected with malware is not the same as getting hit with a cyber attack that resulted in a malware infection. I am guessing that they have solid evidence of an intrusion, and that the malware was directly linked to the intrusion. I am guessing that it also isn't just some annoying popup/scamware problem, nor is it a generic botnet. Most likely, a lot of systems started bugging out at the same time, they found the malware, noticed that it wasn't some generic worm, looked at server logs, found the command which launched the malware, traced that user to an abnormal source ("an IP address in China? We don't have any workers in, or routing through, China"). That's a very simplified version, and only the real security experts would know just how complicated the intrusion investigation process really is.

    6. Re:When I was by jhoegl · · Score: 2

      Yeah, the article links the two but the articles information shows it as being a generalized malware or virus. They may be being overcautious on this one, but the article attempts to inject fear, speculation, and link an unrelated incident to this.
      Glad I have adblocker to make sure these fearmongering to sell adspace jackasses got no money from my visit.

    7. Re:When I was by Anonymous Coward · · Score: 0, Funny

      No shit, Sherlock.

    8. Re:When I was by fm6 · · Score: 1

      No no, the Zionist Lobbies secretly control all American politicians. They're too busy with that to bother with sabotage. For that, look to Mossad. Let's keep our conspiracy theories straight!

    9. Re:When I was by X.25 · · Score: 1

      When I was a Jr IT Admin, and our systems got infected a some Malware, or a worm we didn't call it a cyber attack, we just bitched about it and fixed the problem and wondered who the hell opened the attachment they got in their email.

      Yes, because what you've been hit with is exactly the same as what they've been hit with.

      SIgh.

    10. Re:When I was by IamTheRealMike · · Score: 4, Interesting

      On a side note. Let me guess, another Windows IT infrastructure.

      Absolutely. That's not because Saudi Aramco is incompetent. I believe they would actually be one of the largest companies in the world, if they weren't state owned. They run operations on a truly mind blowing scale with very few problems or disruptions (when was the last time you heard about them?).

      The reason is unfortunately far more depressing than one incompetent company. The reason is that the industrial process control world long ago standardized on Microsoft DCOM as the protocol used for monitoring and controlling large systems. DCOM is an insanely complicated protocol - trust me on this, I'm one of the very few people in the world who has reimplemented it. Therefore it's natural to use Microsofts implementation, which means Windows. Technically the protocol is called "OLE for Process Control" (OPC). In particular Saudi Aramcos Abqaiq stabilization facility, through which around 1/8th of the worlds oil supply flows, uses OPC extensively.

      Incidentally Abqaiq, like all of Aramcos big facilities, is defended by some pretty insane security. The guards there are heavily armed and shoot first, ask questions later. They need to - a few years ago suicide bombers attempted to detonate a truck inside the complex. I've read they also have SAM sites and fighter jets on 24/7 standby in case somebody tries to crash a plane into it.

      I think it's very likely that this is an extension of America and Israels war against Iran, targeting their industrial/economic infrastructure instead of just uranium enrichment. The MO matches that of Stuxnet and we know that they're rather careless about letting their creations escape and cause havoc outside the intended targets. The stories we saw recently about code encrypted under a hash of various file paths sounds strongly like it was intended to match an unknown computer that performs a specific function, rather than a specific computer that was already reconned, otherwise the key could just be a hash of the HDD serial numbers/MAC addresses or other things that are less likely to change. One can imagine that the target computer might be inside an Arabic speaking oil refinery. Typically these refineries and facilities are built by a small number of western contractors. One can also imagine that computers meeting the target configurations exist not only in Iranian facilities but also other countries.

    11. Re:When I was by nbauman · · Score: 0

      No, no! The Zionist lobby is actually an elaborate scheme by horny IDF soldiers to schtupp stupid Jewish girls from Great Neck and Los Angeles. http://www.jewlicious.com/2011/02/the-unofficial-guide-to-sex-on-birthright-israel/

    12. Re:When I was by Krneki · · Score: 1

      I understand, you need Windows to operate the main system, but ... you can isolate this servers from the rest of your network. Make them accessible only via Remote desktop and have all the other PCs on Linux. Yes, it costs more and you need to train your employees to use different GUIs. In the end is your improved downtime and security worth the cost?

      --
      Love many, trust a few, do harm to none.
    13. Re:When I was by Anonymous Coward · · Score: 0

      That's when you were a Jr. :) A Sr. Admin would automatically classify this as a wide network-threat as infection spreads very quickly.

    14. Re:When I was by SlashDev · · Score: 1

      No need to blame anyone when they openly take credit.

      --

      TOP DSLR Cameras Reviews of the top DSLRs
    15. Re:When I was by Anonymous Coward · · Score: 0

      as far as I know most of their equipment is linux based

    16. Re:When I was by CAIMLAS · · Score: 1

      There are different approaches to the same problem, often with different motivations (even for the same outcome).

      In this case, I'm guessing it's because they either have highly skilled Westerners working for them and there was a really bad threat, or this is a typical display of Arab Ingenuity. For whatever reason, "fixing" something over there means hitting it with a hammer until it's fixed, Inshallah.

      Interesting that the outcome may have been from drastically oppositional approaches. :P

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    17. Re:When I was by Anonymous Coward · · Score: 0

      It's not a generic virus. It has affected workstations on a widespread scale which now no longer boot to an operating system (sounds like boot sector or something trashed). How many current generic viruses do this rather than allowing remote access, spamming etc? The goal was to knock out infrastructure not take over systems for general malware purposes. Then again, their own IT department may have done something remotely to disable all workstations while they work to recover everything? There's no official statement yet and I can only go on what I've been told by an employee there.

    18. Re:When I was by rtfa-troll · · Score: 1

      you can isolate this servers from the rest of your network.

      In the end you need to get data to and from the computers. As long as you have buffer overflows and executable data formats like excel and word there will be a way in. Remember the Stuxnet attacks against Iran were based on USB pen drive transfers. This means that network isolation is not adequate on its own and may even be an outdated counterproductive move.

      --
      =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
    19. Re:When I was by blind+biker · · Score: 1

      I think it's very likely that this is an extension of America and Israels war against Iran, targeting their industrial/economic infrastructure instead of just uranium enrichment. The MO matches that of Stuxnet and we know that they're rather careless about letting their creations escape and cause havoc outside the intended targets. The stories we saw recently about code encrypted under a hash of various file paths sounds strongly like it was intended to match an unknown computer that performs a specific function, rather than a specific computer that was already reconned, otherwise the key could just be a hash of the HDD serial numbers/MAC addresses or other things that are less likely to change. One can imagine that the target computer might be inside an Arabic speaking oil refinery. Typically these refineries and facilities are built by a small number of western contractors. One can also imagine that computers meeting the target configurations exist not only in Iranian facilities but also other countries.

      Iran is not an Arabic country, Iranians are not Arabs, they do not speak Arabic - they speak Farsi. It's a completely different language, and while they do use a version of the Arabic script, the words are completely different and folders, paths etc. will be likewise entirely different between an Iranian and an Arab installation.

      --
      "The agriculture ministry is not in charge of Gundam" - Japanese ministry official.
  2. FROMATES to the rescue by Anonymous Coward · · Score: 0

    Any idea which Microsoft Windows vulnerability was exploited?

    1. Re:FROMATES to the rescue by Anonymous Coward · · Score: 1

      The human.

  3. is it wrong? by Anonymous Coward · · Score: 1

    Is it wrong that I feel like cheering?

    They don't want us to be able to see scantily clad women. That makes me pissed off right there.

    1. Re:is it wrong? by Anonymous Coward · · Score: 0

      They got a point - you with your bare ankle pictures.

    2. Re:is it wrong? by fuzzyfuzzyfungus · · Score: 3, Interesting

      Is it wrong that I feel like cheering?

      They don't want us to be able to see scantily clad women. That makes me pissed off right there.

      On the other hand, this was an attack against their oil export capacity. The faster the rest of the world can suck the hydrocarbons out of the middle east, the faster we can go back to letting them fight amongst themselves over god's own sandbox on earth...

    3. Re:is it wrong? by Jeng · · Score: 1

      the faster we can go back to letting them fight amongst themselves over god's own litterbox on earth

      Fixed that for you. God made cats in his own image, we are merely servants.

      --
      Don't know something? Look it up. Still don't know? Then ask.
    4. Re:is it wrong? by SuricouRaven · · Score: 1

      The target is an arm of the Saudi state. The same state which makes it a criminal offense to try to preach any faith other than Islam, or for women to leave the house without their male owner in escort. This attack is just a big game of Dicks vs Assholes, and right now I'm cheering for the Dicks.

    5. Re:is it wrong? by VortexCortex · · Score: 1

      No. The faster we can stop sucking oil out the better. Raising the price of oil actually helps in this regard.

  4. Old news by Anonymous Coward · · Score: 0

    This is so Jurassic Park.

  5. Submitter writes weirdly headlines by wonkey_monkey · · Score: 1

    That is all.

    --
    systemd is Roko's Basilisk.
    1. Re:Submitter writes weirdly headlines by governorx · · Score: 1

      Weirdly Headlines Submitter Writes

    2. Re:Submitter writes weirdly headlines by Bob+the+Super+Hamste · · Score: 1

      I think we now know Yoda's /. user name name though.

      --
      Time to offend someone
    3. Re:Submitter writes weirdly headlines by MrMe · · Score: 1

      A mere imposter if that is the case. Yoda would say something like "Offline cyber attack knocks Saudi Armaco hmmmmmm"

  6. hindsight as a security policy by Nyder · · Score: 1

    Iran earlier this month said it plans to move key ministries and state bodies off the public Internet to protect them from such attacks

    One wonders why they were on the internet (public or otherwise) to begin with.

    --
    Be seeing you...
    1. Re:hindsight as a security policy by fuzzyfuzzyfungus · · Score: 2

      To download critical security updates and antirvirus definitions! Don't you care about Best Practices?

    2. Re:hindsight as a security policy by tlhIngan · · Score: 1

      Iran earlier this month said it plans to move key ministries and state bodies off the public Internet to protect them from such attacks

      One wonders why they were on the internet (public or otherwise) to begin with.

      Because they need to communicate with citizens? It's like a business that has a website, but insists that you phone htem to place an order because they don't want to have an attack that may expose customer data.

      Of course, even airgapped networks aren't invulnerable... I hear some centrifuges got destroyed despite the control systems working on a completely separate, airgapped network, because said control systems got infected. What was it called? Stacks-net? Stock-net?

    3. Re:hindsight as a security policy by Bob+the+Super+Hamste · · Score: 1

      I know you were going for funny but it is sadly informative. This is way more common than it should be but is driven by higher ups who think they know better.

      --
      Time to offend someone
  7. Is it bad that when they mentioned Kharg Island... by jpedlow · · Score: 1

    ...I thought of battlefield 3 and ripping through there in a littlebird heli? :D :\

  8. largest company of any kind in the world actually by Anonymous Coward · · Score: 0

    not just oil

  9. Fun by benjfowler · · Score: 0

    War between heavily-armed sectarian enemies who hate each other even more than they hate the dirty kuffar West. That's what I call a self-cleaning oven.

    *gets popcorn*

    This is gonna be *FUN*

  10. Ok then by Impy+the+Impiuos+Imp · · Score: 1

    They aseume it got in through official channels rather than myriad censor-bypassing routes, including smart phone tethering.

    --
    (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
  11. weird by Anonymous Coward · · Score: 1

    why would the jews and americans attack americas number one ally in the middle east?

  12. Some would say Israel by ThatsNotPudding · · Score: 4, Insightful

    I would bet crooked (as if there are any other kind) daytraders.
    1. Buy up oil futures.
    2. Release your malware and let the news cycle gin up oil prices.
    3. Profit!!

    1. Re:Some would say Israel by Anonymous Coward · · Score: 0

      Ssssshhhhh....

      sgt_doom

    2. Re:Some would say Israel by sneakyimp · · Score: 1

      Great idea Mortimer! It almost worked with all that Frozen Concentrated OJ.

    3. Re:Some would say Israel by HornWumpus · · Score: 1

      What you are looking for is out of the money call options.

      They let you buy something in the future at a price higher then forecast plus expected uncertainty and are generally pretty cheap. You can buy a metric assload of them.

      If you are expecting something to drop in price you want out of the money put options.

      Key advantage. Your loses are limited to the up front premium.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    4. Re:Some would say Israel by Anonymous Coward · · Score: 0

      "They let you buy something in the future at a price higher then forecast plus expected uncertainty and are generally pretty cheap."

      Could you write that in English please, is it higher than or higher then.

    5. Re:Some would say Israel by HornWumpus · · Score: 1

      Fuck off grammarian. Get cancer of the asshole and die slowly.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    6. Re:Some would say Israel by Anonymous Coward · · Score: 0

      LOL, grammar? no, the problem is you can't spell a simple word like 'than'. Fucked up United States of Americanian fucking up the beautiful language the British gave you. Just because you pronounce words like you have a large a asthmatic bee in your nose doesn't mean you have to spell it like you sound it.

  13. Sales! by number6x · · Score: 1

    Someone has a new IT infrastructure they want to sell to the Saudis.

    First create the demand with the 'cyber attack', then be ready to supply the solution.

    Should be able to charge a huge price tag.

    1. Re:Sales! by Candyban · · Score: 2

      Someone has a new IT infrastructure they want to sell to the Saudis.

      First create the demand with the 'cyber attack', then be ready to supply the solution.

      Should be able to charge a huge price tag.

      First of all they already pay a huge price tag for everything. That is the downside of having too much money and no need for anyone to actually understand anything.

      Second, if you knew how things were run, you would be surprised we do not have continuous failures due to infections.

      Transformers, switchgear and other control room infrastructure is built and once every 5 years someone will go there to change some filters. The whole thing runs 24/7 automatically and is being monitored remotely. After 20+ years, the substation is in need of an overhoal or it is decomissioned.
      Before 2000, most "logic" components were either PLC or electrical circuitry. Nowadays more and more components are electronic (cheaper, more flexible and more accurate) and controlled by "regular" PCs running windows.
      As I said before, no living soul enters the substations in 5 years and noone will update components (if it ain't broken, don't fix it). However other substations (in the process of being constructed) have the broadest range of computer illiterates, all typing stuff on their old laptops and passing around memory sticks, clicking whatever to get rid of pesky popups, running in and out of the construction yard.

  14. in the article by nimbius · · Score: 1

    this attack only affected workstations, so its safe to assume it wasnt taylored specifically to the corporation like say stuxnet.

    more importantly, who seriously cares. it seems like every other article about malware or worms is ginned up as a cyber attack or cyber terrorism or some other buzzword invented by the DoD or defense contractors to gin up support for defense spending. If we're keeping score, the siberian pipeline attack by the CIA in 1982 is when "cyber" attacks first started. http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage

    --
    Good people go to bed earlier.
  15. what are these systems doing on the internet?? by lkcl · · Score: 1

    i have a simple question. why are these systems - and systems like them in the USA such as power grid systems - attached to the world-wide internet in the first place? surely people understand that critical systems must be physically isolated, yes? they do have two computers, one on each side of the room, yes? one set of computers controls the critical hardware, and the other set is for administrative purposes, to do email, surf for porn when the staff are bored and so on, yes? do these people in these companies, whether they be in iran, iraq, saudi arabia or the USA, not understand basic security procedures for running mission-critical systems??

    1. Re:what are these systems doing on the internet?? by SuricouRaven · · Score: 1

      I think perhaps they are, but the reporting doesn't describe exactly what was infected. Not all of the computers at any large organisation are used for ultra-high-security work - there's also a lot of office staff with desktops for routine administrative things which become a lot easier if they have email and web access to do research and communicate with the outside world.

  16. Interesting side effects may come from this by Anonymous Coward · · Score: 1

    Interesting side effects may come from this. These are very targeted and sophisticated attacks, the hardest to defend against. Countries like Iran and Saudi Arabia could become the security leaders in the world simply from having to defend themselves against the best of the best.

    One thing China is very good at is not showing their hand too early. They plan long term, infiltrate, bide their time and strike when everything is perfect, leaving their targets unprepared (scary, huh?). This is in contrast to whoever is attacking Iran and Saudi, really they're just making them stronger by helping them build their skills, defenses, and techniques.

    1. Re:Interesting side effects may come from this by EmagGeek · · Score: 3, Informative

      Not entirely true. China does occasionally show a card or two in their hand, like surfacing an attack sub in the middle of a US carrier strike group.

  17. Motivation by GameboyRMH · · Score: 2

    No way the US or Israel would strike at the jugular of the world's economy, it doesn't make sense. I'd guess Iran (make some countries drop the embargo), "wreck their shit" anarchists (this is a great way to wreck shit) or eco-terrorists (reduce CO2 emissions and give the world a taste of what will happen when the oil runs out).

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  18. Yep, they all run windows. by Anonymous Coward · · Score: 1

    I used to work for a process controls company. Everything migrated from purpose-built embedded code and machines to COTS hardware to "save money."

    The result was that the system became 5 times more expensive, 10 times more complicated, and 20 times more failure-prone.

    Instead of buying a $1000 control board that was built for its special purpose, our customers instead had to buy a $10,000 PC running Windows, preinstalled with the McAfee Virus (which caused plenty of problems of its own with real-time control), a $4000 communications board to interface with the control network, and another $25,000 worth of special software to duct-tape the control platform to the new "cheaper" commercial-off-the-shelf control master.

    Of course, doing this enabled them to use "commodity talent" rather than actual seasoned hardware engineers, so of course some VP got his huge bonus for moving jobs overseas. And, the customers suffered.

    1. Re:Yep, they all run windows. by HornWumpus · · Score: 1

      Where can I buy a 10K PC?

      That machine must rock. How many FPS?

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:Yep, they all run windows. by CAIMLAS · · Score: 1

      You're an idiot.

      $10k is a not-uncommon cost for a middle of the range IBM server.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    3. Re:Yep, they all run windows. by HornWumpus · · Score: 1

      Server used for embedded control? SAN array as well?

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
  19. Ignorance by Anonymous Coward · · Score: 0

    Cyber Attack Knocks Offline Saudi Aramco

    I had to read that headline three times before I understood what the author intended.

    Why? Because of his misuse of the word "offline". He meant to write "off line".

  20. Oil Prices Sky Rocket by Anonymous Coward · · Score: 0

    Great, oil prices will skyrocket now.