Skip to main content

Insiders implicated in Aramco malware attacks

Shadowy cyber-criminals and third-party attackers generate the most headlines, but sometimes the bad guy is sitting just a few feet away in the same office.

That appears to be the case at Aramco, the world's biggest oil company based out of Saudi Arabia, according to Reuters. In August, Aramco disclosed a malware infection had infected 30,000 of its systems. The infection deleted the data on the computers and then rendered the machines unusable. The Aramco incident may be the largest malware-based attack on a single organisation in history, and it took the oil company two weeks to recover.

Insiders with high-level access to Aramco's network helped attackers target the organisation, sources familiar with the investigation told Reuters. The attack was made possible by "someone who had inside knowledge and inside privileges within the company," Reuters reported. The source did not say whether the attack was launched remotely or locally from a workstation within Aramco's offices.

A hacking group called "The Cutting Sword of Justice" claimed responsibility for the attack, and threatened to release copies of the documents they stole before destroying the machines. No documents have been published as of this time.

It is believed that Aramco was infected with Shamoon, a highly destructive malware that wipes computers' hard drives before corrupting the master boot record to make it impossible to reboot the machine. "Threats with such destructive payloads are unusual and are not typical of targeted attacks," said Symantec in its analysis of the malware.

Bad Apples Can be Anywhere

While "certain insider attacks" may occur more often in certain industry sectors, no sector is free from malicious insiders, Todd Lewellen, information security analyst for the CERT Insider Threat Center, wrote in Carnegie Mellon Software Engineering Institute's Insider Threat Blog on Friday. A cursory search across different industry sectors revealed "just how indiscriminately insider attacks can appear throughout public and private sectors," he wrote.

Examples ranged from financial fraud in order to pay personal expenses, espionage, and sabotage by angry employees after being fired. Lewellen also had an example of a temporary contractor for an oil-exploration company who planted malware to disable a supervisory control and data acquisition (SCADA) system when the company declined to hire him full-time.

In Aramco's case, sources did not tell Reuters how many moles worked with the attackers to help carry out the attacks or whether they were Aramco employees or outside contractors.

Know What's Happening On Your Network

Insider attacks are relatively rare, accounting for just four per cent of data breaches in 2011, according to the annual data breach report released by Verizon Business earlier this year. Even so, organisations need to monitor what is going on within their network as well as watching what is trying to get in. Administrators should be able to monitor all network traffic and then associate that traffic with actual user identities, Darren Anstee, a solutions architect at Arbor Networks, told Security Watch. It's important to have a baseline of who uses which systems, when, and how often, so that malicious insider behaviors and compromised devices are detected as soon as possible, Anstee said.

Situational awareness on the network might have allowed Aramco to "detect unusual traffic patterns, unusual user access to systems, data exfiltration or other network behaviors which might have been indicative of the virus as it spread – allowing them to react more quickly and minimise the impact of the incident," he said.