Saudi Oil firm says 30,000 computers hit by virus

Saudi Arabia's oil company, Saudi Aramco, says its main internal network is back up after a virus affected 30,000 work stations in mid-August, but the source of the attack remains unclear.

Saudi Aramco said all of the affected workstations have all been cleaned and restored to service and normal business resumed on Saturday when employees returned to work following the Muslim Eid holidays. The primary enterprise systems of hydrocarbon exploration and production were unaffected because they are kept on isolated network systems. Meanwhile, remote Internet access to online resources has been restricted, the statement said.

Saudi Aramco blamed a "malicious virus that originated from external sources" and said it was continuing to "investigate the causes of the incident and those responsible for it," in a statement released yesterday. There was no direct mention of hackers who had claimed responsibility for attacking the energy company.

"Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber-attack," Khalid A. Al-Falih, president and CEO of Saudi Aramco, said in the statement.

At least one main Aramco Web site remained down today.

A group calling itself Cutting Sword of Justice posted a message on the Pastebin site on August 15, the same day Saudi Aramco started having problems, claiming to have sent a malicious virus to destroy 30,000 computers in the energy company. The group said it was targeting Aramco, "the largest financial source for Al-Saud regime," because it supports "crimes and atrocities" against citizens in Syria, Egypt, Lebanon and other neighboring countries.

There have been a series of posts, from that group, as well as Arab Youth Group, and possibly a third. The next day another Pastebin post claimed that data and operating system files were wiped out on the client computers and that 2,000 servers were affected, while another post listed what it said were the IP addresses supposedly from Aramco's internal network.

A subsequent post referred to the "Shamoon attack." Shamoon is malware that destroys data, according to a Symantec report on August 16. The malware was being used in targeted attacks including against at least one energy company in the Middle East, but researchers have not named the victim.

Security expert Jeffrey Carr, CEO of Taia Global, speculates in a blog post today that the attack was orchestrated by Iran to retaliate against Saudi Aramco for committing to make up for cuts in Iran's oil exports as a result of the U.S.-European Union embargo.