Learning incomplete lessons from a famous cyber-attack can lead to surprising and unpleasant results

“Almost to a person, the disaster planners concluded that the Abqaiq extralight crude complex was both the most vulnerable point of the Saudi oil system and its most spectacular target” – R. Baer, “Sleeping with the devil”.

When a cyber incident is publically disclosed it is not a time to name and blame. It is rather an opportunity to learn about what is happening in cyberspace behind the scenes and to identify what measures are still necessary to lock down the systems we are trying to protect. However if the story is incomplete it can also lead to choosing half-way or even wrong measures  to address threats that are only partially identified or understood.

Many of you may remember the cyber-attack directed at oil and gas company Saudi Aramco (SA) which began on August 15, 2012 at 11:08 a.m. This achieved some notoriety in the press at the time which focused on the complete data wiping of over 30,000 hard drives belonging to the computers and servers of one of the world’s most profitable companies.  The malware was later identified to be a variant of the Shamoon[1] wiper virus which was sitting for months as a “ticking” logic bomb inside Saudi Aramco’s IT networks. This “bomb” was time set to go off after a two hour warning published on Pastebin[2] by the alleged attackers calling themselves the “Cutting Sword of Justice” [3].  The disruption to the company’s business operations was much more severe than first thought with full recovery being achieved after 3 months of a massive brute force effort.  The extensive recovery work required spending top dollar to buy a team of cybersecurity professionals and use of the company’s fleet of aircraft to pick up and fly over new hard drives from the manufacturer. This was part of the effort to rebuild the lost ”85 per cent” of the companies IT systems.  Some of these facts I learned this past week after hearing a podcast https://darknetdiaries.com/episode/30/ that featured an interview with one of the principal responders called in to deal with the aftermath of this devastating cyber-attack. One that was characterized as “the most devastating cyber-attack on a company ever”[4]. A company that was more profitable and in world economic terms, more influential than Apple or Microsoft[5] .

This podcast as it reviewed the attack and derived lessons raised a surprising issue for me.  It came with the statement (made in the first minutes of the interview) that SA put most of their money “80 percent” into [cyber] securing their ICS or production networks and neglected to pay enough attention to their IT or business-office-administration part of the company. The argument was that since oil/gas production was the money making part of the company it was the ICS not the office IT side where  the security efforts and resources were applied.  This was given as the explanation for why the wiping virus was so successful on the office IT side (least cyber protected) and not on the heavily cyber hardened ICS side.

This characterization made by a key crisis responder claiming some inside knowledge made me wonder.  I always thought together with some commentators that the 2012 attack indicated that the attackers at that time were not able to attack the ICS side of the company mainly because their IT hacking skills were not sufficient to allow them to enter and cause trouble in the ICS of SA.  Using cyber to attack industrial control systems requires special knowledge of engineering, process control and safety systems.   The traditional IT attack skillsets that were adequate to attack websites and financial institutions were not directly applicable to attacking an industrial real-time control and safety system.  To put it bluntly it would be like a grammar school student trying to solve a problem in quantum mechanics.  Knowing about geometry and algebra will not be enough to find the solution. A deeper understanding is still required.   IMHO this interpretation is more in line with the publically available evidence. The bottom line one would think is that the attack in 2012 did not extend to the oil field ICS where real long lasting destruction could have been achieved simply because the attacker just didn’t have the specialized technical knowledge to do so. 

As a side note, later in the interview the action of the Shamoon virus was described as acting on any Windows OS or Windows dependent machine or application such as the “auto truck loading” and “payment” systems.  Internal communications were disrupted (management ordered disconnection from the Internet), no emails and no SharePoint[6] were available. It was said that the spreading of the attack was successful due to the company’s “flat network” architecture.  Meaning that all the companies’ networks (in Saudi Arabia and throughout affiliates in the world) and all ICS were connected on the same network.  This explains why the office IT was hit so hard.  However it also raised some doubt about the understanding of control systems in the interview. If the network was “flat” then how could they be sure the ICS was not also affected? Perhaps it was simply because the control networks were segmented off or air gapped. The interview gave away no details about the ICS side that could confirm this.  It could be rather that the attackers just didn’t have the knowledge to work effectively on the ICS side.

This most recent story of the Saudi Aramco attack in 2012 raises other questions.  Did the responders who seemed to all have come from IT security backgrounds have some understanding of the ICS/OT part of the company? Did they take a look at that side when doing their triage work to make sure things were still ok there? Or were they just relying on an IT bias that led them to assume the security measures (taking up 80 per cent of the resources) employed were adequate to secure the ICS from attack.  Or was it that no matter how much the attackers would have liked to damage the oil well and production facilities[7] they just did not have the smarts to do so.

On the other hand, the ones who tried to attack the control and safety systems of that that petrochemical facility in the Middle East (thought to be the same targeted company, SA) 5 years later certainly did.  It took a while but it seems the special skill sets became available [8] and one wonders if those same IT responders of 2012 would have been as successful in bringing the operations back to order. Something they apparently did quite magnificently in 2012.

Still the podcast offers some interesting lessons to learn, less known details on how bad the IT hit was on the company and about the extraordinary efforts made to recover[9].

Vytautas Butrimas

Vilnius, February 11, 2019


[1] https://www.symantec.com/connect/blogs/shamoon-attacks

[2]a website where you can store any text online for easy sharing. The website is mainly used by programmers to store pieces of sources code or configuration information  https://pastebin.com/faq#1

[3] https://pastebin.com/HqAgaQRj

[4] Rhysider, J.,  Darknet Diaries, Episode 30: Schamoon, Interview with Chris Kubeka. January 22, 2019 https://darknetdiaries.com/episode/30/

[5] https://www.bloomberg.com/news/articles/2018-04-13/the-aramco-accounts-inside-the-world-s-most-profitable-company

[6] https://support.microsoft.com/en-us/help/4028180/root-what-is-sharepoint

[7] For an idea of what a cyber-physical attack could do to Saudi Aramco’s ISC and related facilities read Baer, R., Sleeping with the devil, Three Rivers Press, N.Y. 2003, page xix-xxi “

[8] With the exceptions of those behind Stuxnet in 2010 and those responsible for the German steel mill attack in 2014

[9] Kubeka, C.,  BlackHat USA 2015 presentation, How To Implement IT Security After A Cyber Meltdown https ://www.youtube.com/watch?v=WyMobr_TDSI ff (to view video, remove space after “https” and paste to browser.)

http://scadamag.infracritical.com/index.php/author/vytautas/

NOTE: The views expressed within this blog entry are the authors’ and do not represent the official view of any institution or organization affiliated thereof. Vytautas Butrimas has been working in cybersecurity and security policy for over 30 years. Mr. Butrimas has participated in several NATO cybersecurity exercises, contributed to various international reports and trade journals, published numerous articles and has been a speaker at conferences and trainings on industrial cybersecurity and policy issues. Has also conducted cyber risk studies of the control systems used in industrial operations. He also collaborates with the International Society of Automation (ISA) on the ISA 62443 Industrial Automation and Control System Security Standard and is Co-chair of ISA 99 Workgroup 16 on Incident Management and member of ISA 99 Workgroup 14 on security profiles for substations.