Network Issues That Led to Shamoon Incident at Aramco - Case Study Example

? Shamoon Incident at Aramco 30th, November, Network Issues That Led To Shamoon Incident at Aramco Saudi Aramco is the world's largest single energy-sector organization that exports crude oil and the reference government claims ownership. Major antivirus companies like Kaspersky named the virus that affected this company as "Shamoon." The main aim of the attack was to destroy files, data, erase their hard drives, and cripple the infected machines that it succeeded. Indeed, Shamoon affected many companies but its success in Aramco rates at 75% of the company’s computers (Norman ASA, 2012, p.1). This was the first malware used by the hacktivism front and hence the company’s network was not in a position to handle the complexity of this virus. Indeed, unlike other malware whose impact cannot overcome the antivirus set in the company’s network, the technology used in Aramco was way below that of the hackers. The network system in Aramco offers security to theft of data but has no capacity to handle annihilation manifested by Shamoon. In addition, the company’s anti-hacking and firewall software is incapable to deal with such technologically advanced malware like Shamoon. Moreover, the company’s IT and computer systems policies require a review. Sadly, the network system of Aramco allows multiple users to access both unclassified and classified information at the same time, which jeopardizes the security of the system as seen in the Shamoon attack. In addition, Aramco’s network allows its employees and expatriate employees to run information systems and then divulge such information that acts as leeway to cyber-attacks. Indeed, the company needs to review and update its IT policies and computer systems for purposes of dealing with such complicated malware as Shamoon (Mashat, 2012, p.1). Otherwise, the ease to access, lack of proper authorization, and use of ancient anti-hacking and firewall software, jeopardizes the security of Aramco’s network system. How the Attack Happened One group of hackers has claimed responsibility over the Shamoon attack on Aramco. The group, Cutting Sword of Justice asserts that the cyber-attack took place beginning Wednesday, Aug 15, 2012 at 11:08 AM and was complete within a few hours (Fisher, 2012, p.1). Although, this information is not certain, there are clear indications that lead to this assertion. Indeed, in the same day after Cutting Sword of Justice asserted this, Saudi Aramco confirmed that part of its computer system used by its employees is under cyber-attack courtesy of a computer virus. Alternatively, several antivirus vendors Kaspersky Lab, Symantec, McAfee confirmed the existence of such a virus and named it Shamoon or Disttrack (Higgins, 2012, P. 16). Indeed, the hackers took the virus from another computer package and dropped it off in the Aramco’s computer system. We may need to define the details of this virus to reinforce our understanding on how this attacked happened. Shamoon or Disttrack is a legitimate software driver with a digital signature inside its package. Specifically, the virus is referred to as W32. Disttrack and ha distinct security components. Indeed, W32.Disttrack has a dropper that played a major role in creating and providing the original infection. Subsequently, the dropper significantly dropped other modules in initiating the attack. In addition, the W32.Disttrack has a wiper whose main responsibility in the attack was to destroy the network of target system, Aramco. Moreover, the wiper has the capability to enable user-mode applications to read and write to disk sectors of other systems (Secretary of Defense Leon E. Panetta, 2012, n. p). As such, it is most applicable in overwriting the computer's Master Boot Record. Indeed, the wiper deleted all the existing drivers and overwrote the signed one in Aramco’s network. Most significantly, the W32.Disttrack entails a reporter, which was significant in reporting the success of the attack to the attacker. The reporter takes back all the details relating to the domain name, the number and names of files overwritten, and the IP address of the destroyed computer. As such, the Shamoon trashed all the files, overwrote the system's Master Boot Record (MBR), and consequently disabled the computer from the established network. This happened as the Shamoon looked for and destroyed all downloads, pictures, documents, music, and video files in the Aramco’s computer system. After the successful attack, W32.Disttrack sent all the stolen files to a remote control center in the attackers system. This attack led to a public debate and a possible review of Aramco’s computer system. However, only the internet-connected computers suffered the attack. Statistically, about 30,000 (King, 2012, n. p) of Aramco’s 50,000 computers crashed making the Shamoon attack the greatest cyber-attack in Saudi Arabia. How the Virus Went Through Their Network As seen herein, Shamoon has advanced and distinct set of capabilities that enabled it to go through the Aramco’s network and cause an attack of such magnitude. Assuredly, the virus accessed the network system of Aramco using the hacked systems in several countries (Timothy, 2012, p. 1). Subsequently, the hackers sent the malware to destroy the exposed and networked computers at Aramco Company. Notably, the virus used the destroyed computers in Aramco’s network as a kind of proxy server to gather data stolen from the destroyed computers. Furthermore, the attacker controlled the internal machine with a direct connection to the internet. Subsequently, the attacker used the internet-connected internal machine as a proxy to the external Command-and-Control (C2) server (Fisher, 2012, p.1). Hence, through this proxy, the attacker gained access to other internal machines that did not have a direct internet connection and destroyed them wholesomely. The ability of the virus to overwrite the master boot record of infected machines after stealing data was significant at this level. Hence, the virus used the wiper component to execute the instructions to delete the data on the hard disk and overwrite the Master Boot Record thus destroying the Aramco’s network. Moreover, the attacker used the local network to retrieve and the internal proxy to send the stolen data to the command-and-control servers of the attacker.  As a result, Shamoon went through Saudi, Aramco’s network and subsequently destroyed a significant number of computers. Works Cited Fisher, D (2012) Some Signs Point to Shamoon as Malware in Aramco Attack, Accessed 30th November 2012, http://threatpost.com/en_us/blogs/some-signs-point-shamoon-malware-aramco-attack-082212 Higgins, K.J. 2012, "New Attack's Mode Of Operation Is Data Sabotage, Not Theft", InformationWeek, , no. 1342, pp. 16-16. King, R. 2012, Virus Aimed at Iran Infected Chevron's Computer Network, New York, N.Y., United States, New York, N.Y. Mashat, M (2012) What Saudi Aramco can learn from the Shamoon virus attack, Accessed 30th November 2012, http://www.saudigazette.com.sa/index.cfm?method=home.regcon&contentid=20120827134105 Norman ASA Security Experts Available to Discuss Saudi Aramco Hacking Incident, New Shamoon Malware 2012, New York, United States, New York. Secretary of Defense Leon E. Panetta Delivers Remarks on Cyber security to the Business Executives for National Security 2012, , Lanham, Lanham. Timothy (2012) Shamoon Malware Linked To Saudi Aramco Attack, Accessed 30th November 2012, http://it.slashdot.org/story/12/08/25/0535221/shamoon-malware-linked-to-saudi-aramco-attack Read More