- The Washington Times - Monday, August 27, 2012

Politically motivated hackers shut down the computer network of the world’s largest oil company for more than 10 days this month, the first time such a group has employed the kind of sophisticated cyberweapons typically used by national governments.

Saudi Arabian Oil Co., the national oil company of Saudi Arabia, said over the weekend that it had restored its network following the Aug. 15 attack, which affected more than 30,000 computer work stations.

The company said in a statement that its production and refining systems were unaffected by the attack because they are walled off from the main computer network.

“We addressed the threat immediately, and our precautionary procedures have helped to mitigate these deplorable cyberthreats from spiraling,” said Khalid A. Al-Falih, president and CEO of Saudi Aramco.

But at least one website the company operates, aramco.com, remained down Monday.

“We are working diligently to restore services to normal as soon as possible,” said a statement on the website.

The company’s Houston-based U.S. office referred requests for comment to its headquarters in Saudi Arabia. But emails sent there bounced back, suggesting that work to restore the company’s computer system was still ongoing.

The hackers have not been so tight-lipped.

A group calling itself the Cutting Sword of Justice claimed responsibility for the attack, saying it was in protest of the Saudi royal family’s support for “oppressive measures” in Arab countries “such as Syria, Bahrain, Yemen, Lebanon, [and] Egypt.”

Aramco was attacked “as the largest financial source for [the] al-Saud regime,” the group said in a statement written in broken English and posted online.

“This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression,” the group concluded, inviting “all anti-tyranny hacker groups all over the world” to join them.

Security specialists say that the claim has credibility because the hackers revealed technical details in their post that match what is known about the attack.

If online activists, known as “hacktivists,” were indeed responsible, the incident would mark a significant escalation of the threat from such groups, the specialists say. Previous high-profile politically motivated computer attacks, such as those by the shadowy collective known as Anonymous, have not used malicious software, or malware, which is designed to disrupt computer operations. They have generally aimed at stealing information, not destroying it.

The attack against Saudi Aramco was a sophisticated, two-stage operation, in which the hackers first seized control of one computer at the company and then used that as a doorway to attack many thousands of other work stations on the network, said Aviv Raff, chief technology officer for the Israeli security firm Seculert.

Once inside the system, the hackers appear to have installed a malicious program called Shamoon, which propagated itself rapidly across the network. On Aug. 15, the program caused the infected computers to wipe clean their own hard drives, deleting any data stored on them, and effectively hiding the hackers’ tracks.

Such attacks are rare, according to computer security firm Symantec Corp., which analyzed a sample of the malware it obtained from an affected company it said was in the Middle East energy sector but declined to further identify.

“Threats with such destructive payloads are unusual and are not typical of targeted attacks,” which usually aim to steal data not destroy it, Symantec said on its website.