Malicious Life Podcast: Shamoon - The Biggest Hack in History

The Shamoon Virus. There is a single company, run by a royal family, which employs the majority of the Saudi working population. It’s worth more than Apple, Google, and Amazon... by a lot.

The Saudi Aramco oil company is one of the most significant commercial entities in human history. It’s hard to imagine, then, what could happen if it were to come into any danger. That would be crazy, right?

Sam Curry-2
About the Guest

Sam Curry

Chief Security Officer - Cybereason

Sam Curry (@samjcurry) is CSO at Cybereason and is a Visiting Fellow at the National Security Institute.  Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product.

Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

ran-levi-headshot
About the Host

Ran Levi

Born in Israel in 1975, Malicious Life Podcast host Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.

In 2007, created the popular Israeli podcast Making History. He is author of three books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

About The Malicious Life Podcast

Malicious Life by Cybereason exposes the human and financial powers operating under the surface that make cybercrime what it is today. Malicious Life explores the people and the stories behind the cybersecurity industry and its evolution. Host Ran Levi interviews hackers and industry experts, discussing the hacking culture of the 1970s and 80s, the subsequent rise of viruses in the 1990s and today’s advanced cyber threats.

Malicious Life theme music: ‘Circuits’ by TKMusic, licensed under Creative Commons License. Malicious Life podcast is sponsored and produced by Cybereason. Subscribe and listen on your favorite platform:

All Posts by Malicious Life Podcast

Malicious Life Podcast: Shamoon - The Biggest Hack In History Transcript

In order to properly grasp the story I’m about to tell, there’s something you need to understand first. Saudi Arabia is a country and a kingdom. In an abstract yet very significant way, though, Saudi Arabia is essentially a corporation.

There is a single company, run by the royal family, which employs the majority of the Saudi working population. It’s worth more than Apple, Google, and Amazon…by a lot. It’s valued not in the millions, or billions, but trillions of U.S. dollars. It doesn’t just drive the Saudi economy, it basically is the Saudi economy. Its ebbs and flows determine the welfare of the entire nation. Not only that: since the Saudi and Iranian powers just about hold together the already tenuous Middle East, it wouldn’t be such a stretch to consider this company one of the few things saving a whole section of the world from structural collapse.

Suffice to say, the Saudi Aramco oil company is one of the most significant commercial entities in human history. It’s hard to imagine, then, what could happen if it were to come into any danger.

That would be crazy, right?

The Hack
Lailat al Qadr, the Night of Power, is one of Islam’s holiest nights of the year. Much of the Muslim world shuts down during the Night of Power, to celebrate the revelation of the Qu’ran to their prophet, Muhammed. On August 15th, 2012, as is tradition, over 50,000 Saudi Aramco employees stayed home for the holiday. For a country with a mandatory state religion, you could imagine how empty these offices must have been. You probably could have danced through their giant headquarters in nothing but a keffiyah and nobody would have noticed. So it was a quiet day–perhaps, as they say, a little too quiet…

And then, at the stroke of 11:08 A.M., a different kind of quiet.

All at once, without any warning, three-quarters of the computers at the world’s biggest company got wiped clean. That’s right–not just a glitch, not just a bug, not just an infection–an act of IT mass destruction. Within a few hours, everything disappeared. No way to stop it. No one around to even try. On almost every computer screen, an image of a burning American flag.

Try putting yourself in the shoes of the executive who walks into work the next Monday. What just happened? Is there more to come? What caused this? Who caused this? Why? What do you do now? Whatever it all amounts to, you’ll have to answer to millions of people, let alone the king.

It just didn’t make very much sense, which was sort of the worst part. Think about it: what’s the point of a computer virus that up and wipes an entire host system? Clearly the attackers weren’t primarily after information, or they’d have stayed quiet and probed the system from the shadows, rather than make so much noise. And for a multi-trillion dollar company, ransomware would make so much more logical sense: think of the money you could squeeze out of the Saudis, who have endless cash flow at their disposal and aren’t exactly known for being stingy with it.

There was only one explanation, then, for an attack so large-scale, so devastating to an entire nation, and without concern for money. This must be an act of war, from an arch-nemesis. This was a cyber bomb, sent from Iran.

Of course! Iran had all the reasons to enact some sort of cyber revenge, only months after their nuclear power plants were attacked by the Stuxnet virus, and their oil ministry taken offline by another malware, Flame. This malware seemed eerily similar to Flame–structurally, functionally, even in name: both had a data-erasing component which, in its code, was named “Wiper”. The evidence was too strong. American and Saudi officials alike released public statements, blaming Iran for the breach.

But how did the hackers do it? Even with the power of a nation behind them, how could anyone possibly take down a company bigger than Facebook or Google, let alone all at once, as quickly as they did–at precisely 11:08 A.M.?

Buy ALL the Hard Drives
These questions would all have to be answered. However, in the interim, there was a bigger problem: if outside investors smelled even the slightest hint of peril from Aramco, the oil market could plummet within a matter of hours. Remember how I mentioned the entire well-being of the Saudi nation depends on their stake in the oil business? Well, if the price of oil were to drop–either as a result of speculation or lack of export from within Aramco itself–that would obviously be very bad news.

So, even before touching the issue of the malware itself, Aramco made three big plays.

Their first move, frankly, blows my mind. In true Saudi fashion, it may be one of the craziest things any company has done ever. Aramco executives decided that figuring out the extent of the virus, trying to reverse its effects and recover all their computers, if that were even possible, would be too time-consuming. So, they used their private fleet of airplanes to fly employees out to computer factory floors in Southeast Asia where, on the spot, they bought a good chunk of the entire world’s supply of new hard drives. 50,000 of them, right off the belt! It’s difficult to even imagine this much hardware at one time. It’s sort of like if Popeyes discovered that all their food had become contaminated, and then they just go and buy every chicken on planet earth in one fell swoop. Aramco paid a premium, and so did everyone else: the effect was so great that anyone buying a hard drive in the months following the Shamoon incident would have had to pay a slightly higher price than usual.

The second big decision Aramco made was to lie. Ten days after the hack, they released a statement admitting they’d experienced a hack, but claiming that business had returned back to regular function. They were later outed when, among other indicators, one journalist posted a photograph online of long lines of Aramco oil trucks waiting in line, one after another, without supply.

Aramco may have blatantly lied to the public, but from a business perspective, doing so made a lot of sense. It may even be that the company executives anticipated they’d be figured out before long, and yet the few days a lie would afford them would have still been worth it. Why? Because even though a virus may have been the cause, it itself wasn’t really their biggest problem. After all, the Saudis have plenty of money for help and replacement hardware. Even hours after the attack, their main company goal was to save face.

Remember how I told you that the entire well-being of the Saudi kingdom hinges on the state of the oil market? Aramco provides about one of every eight barrels of oil produced worldwide. If outside investors smelled even the slightest hint of peril from within their walls, the price of oil could plummet in a matter of hours, sending the company and country into an economic recession. This was a race against the clock.

As their third big decision, Aramco flew in a dozen top cybersecurity experts from the United States for help get some answers about the malware itself. What those researchers were about to find would introduce a lot more questions than answers.

Right away upon arrival, the IT professionals began tirelessly analyzing the malicious code. They decided to give it a name, “Shamoon”, after a word found within the code.

Shamoon
Shamoon is made up of three components: a dropper, a wiper and a reporter. In most ways, it isn’t much different than any other malware. It begins by infecting a single computer, then copies itself to others within a local network. The reporter component is responsible for sending information about the hack-in-progress back to its operators. Where Shamoon distinguishes itself is in its Wiper component, which uses RawDisk – a commercial software – to gain direct user access to hard drives. From there, it completely overwrites the Master Boot Record of its host system, disemboweling the vulnerable drive and rendering the computer non-functional.

Aside from its destructiveness, though, something seemed…off…about Shamoon. Something that brought into question what everyone thought they knew about it.

The problem with Shamoon wasn’t that it was too sophisticated or advanced to figure out. Its problem, in fact, was the opposite. Researchers began to figure out that the program was–and I’m quoting here–a “hackerish”, “ham-fisted” script of code. It contained spelling errors. In certain ways, it did resemble the Flame virus, even Stuxnet, yet lacked the technical sophistication of both. It revealed itself as a weak, copycat version of well-known, publicly available hacking tools.

Why, for a nation with their level of resources and know-how, for a mission so critical as this, would Iran have produced such an amateur program? It’s like a Spielberg movie shot on an Android or a NASA spaceship made of plastic. Even further to the point: while sifting through the meat of Shamoon’s code, security experts found a reference to the “Arabian Gulf”. The term stood out like a giant red flag in the analysis. Iranians are very possessive about that body of water and invariably insist it be referred to as the “Persian Gulf”. Was this an intentional attempt at misdirection, or a signal that Aramco charged the wrong perp?

“The Cutting Sword of Justice”
“We, behalf of an anti-oppression hacker group that have been fed up of crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt and …, and also of dual approach of the world community to these nations, want to hit the main supporters of these disasters by this action. One of the main supporters of this disasters is Al-Saud corrupt regime that sponsors such oppressive measures by using Muslims oil resources. Al-Saud is a partner in committing these crimes. It’s hands are infected with the blood of innocent children and people. In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime. In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company. The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours.”

Just before the Shamoon virus began systematically damaging 30,000 Aramco computers, an eerie but otherwise innocuous manifesto got posted online, to the website Paste Bin. It was untitled, and signed by some person or group calling themselves the “Cutting Sword of Justice”. However unlikely it was that anyone paid much attention to the post at first, in just a matter of time, it would become the source of a good deal of contention.

Part of the mystery of the Cutting Sword of Justice is just how little is known of them. The name had never been heard before–in hacking or any other context–so it must have been a new group. Nothing in their code gave a clue to their identity or location. Paste Bin is structured so the post couldn’t be traced back to any IP, so researchers couldn’t locate the person who posted the text that way (just as that person intended it, probably). The only information experts could possibly consider to be a clue was one part of the manifesto post itself: that line about crimes and atrocities enacted upon “countries such as Syria, Bahrain, Yemen, Lebanon, Egypt and …”. Did this mean the attackers were from one of these countries? Did “and” dot-dot-dot mean Iran? It sure sounds more like a black hat political act, not a nation-state proclamation of war. According to Major General Mansour al-Turki of the Saudi Interior Ministry, the attack came “from an organized group on four continents.”

Even after security experts finished their work for Aramco, they’d ended up learning little to nothing about this mysterious antagonist. Perhaps in order to cover their backs, or simply because they didn’t believe an anonymous online post with no proof of action, those surrounding the case claimed the Cutting Sword of Justice was simply a red herring–a distraction from the actual likely perpetrator, Iran.

That lack of attention didn’t go over well with the Cutting Sword of Justice. After failing to receive proper acknowledgment for their wildly successful hack, the Cutting Sword of Justice followed up with another statement to Paste Bin, this time titled “Saudi Arabia hug, another one”.

“mon 29th aug, good day,

We think it’s funny and weird that there are no news coming out from Saudi Aramco regarding Saturday’s night. well, we expect that but just to make it more clear and prove that we’re done with we promised, just read the following facts -valuable ones- about the company’s systems”

Below this they published internal information on Aramco’s internet service routers, security appliances they made use of in the hack, and the email address of Khalid Falih–CEO of the company–along with all accompanying passwords. This would leave little doubt that, whoever they may be, Cutting Sword indeed must have been the attacker.

“We think and truly believe that our mission is done and we need no more time to waste. I guess it’s time for SA [Saudi Arabia] to yell and release something to the public. however, silence is no solution. I hope you enjoyed that. and wait our final paste regarding SHAMOO”

“angry internet lovers

#SH”

It would take a whole five months for Saudi Aramco to return to full normalcy following the Shamoon affair. We still don’t know who the Cutting Sword of Justice are–the group is not known to have enacted any other major hacks since.

Attribution
Perhaps, as tends to be the case in matters of information technology, the perpetrators of the hack, even the hack and the malware itself, are beside the point. We’ve heard a lot over the course of this podcast about the resources, manpower and computing effort required for hacking major institutions–that the stereotype of a fat guy with a laptop sitting on his sofa just doesn’t reflect the reality of what it takes to pull off such a stunt. We don’t know much about the Shamoon attackers, but we do know their code was basic, unoriginal and, frankly, not pretty. And yet, they still managed to take down one of the world’s largest institutions. It may well be that the Cutting Sword of Justice is a large group–we don’t know. Regardless, according to expert analysis, their code itself wasn’t much of anything that a talented lone hacker or small group couldn’t whip up on their own.

How did the Cutting Sword of Justice manage to cause so much damage with such simple means? Sam Curry, Chief Product Officer at Cybereason and former Chief Technology Officer at Arbor Networks and RSA, says it not all about sophistication and quality.

“It is a question of readiness. You know this old saying, ‘Don’t turn up to a gunfight with a knife’? It doesn’t have to be perfect. It doesn’t have to be very advanced – if you get the element of surprise. There are many many wars that weren’t won by better weapons or really a huge difference in quality – but the element of surprise made a difference.

Shamoon had a wiper payload, a destructive tool, and it was delivered through a number of means and in the moment that it detonated, which was 11:08 AM, August 15th, it had a devastating effect because it simultaneously blew up everywhere! As opposed to a progressive attack that goes through phases that allow you response, it was felt immediately everywhere. And as a result, these now destroyed systems were not available to manage the logistics of oil supply. So it didn’t have to be very sophisticated.”

And as for who’s behind the Cutting Sword of Justice? Sam’s got a theory.

“Attribution is a favorite game of many many people. There’s alway the possibility of a false flag. What we know is that there was tension in the Middle East, there were sanctions on Iran. High Oil prices definitely would have favored the Iranians in this scenario.

At the time, Saudi Aramco was producing high volume [of oil] in an attempt to keep the price of oil low. It is believed that this [the attack] was meant to drive the price of oil up. There was a simultaneous, or slightly after, attack on the Qatari oil company as well. It was clearly a financial motivation even though – like the movie “Die Hard” – it was dressed in all sorts of rhetoric and powerful language of a political nature.

Let’s keep in mind – it’s easy to get these tools copied and reverse engineer them, and take advantage of a conflict on the world’s stage. Pointing fingers, in my opinion, is kind of a futile thing to do. It gets you Press, sure, you get to talk on a big stage about geopolitics. But in a case where somebody walks like a duck, quacks like a duck and flies like a duck – it’s probably a duck, but that doesn’t mean that you need it to be! It helps you to predict what they are going to do next, it helps you to understand the tools at their disposal. Whether somebody is legitimately Iran or posing as Iran – chances are they are going to behave like Iran. There for, the attribution is really helpful if it helps you prevent future attack. Because there is no super-national court that presides over things and will slap a nation-state on the wrist, the sovereignty at the moment lies within each nation.

So, yeah, cyber companies can get their hyperbole and get their PR machines to go and exaggerate stuff for column inches and press – but in the end, attribution is not that useful unless it actually helps to figure out what the moves are going to be next, and helps defenders actually stop future attacks. You’re not going to get a 100% [defence], you sort of don’t need to, and much of the public eye is just eye candy and ear candy, and you hear about nation-states attacking nation-states. Or, worse, it’s the propaganda machines of nation-states that are trumpeting it or hiding it.”

A Genius Decision
And as for Aramco, their lessons turned out to be somewhat bittersweet. Shamoon may have been a huge disaster, but really, it could have been a lot, lot worse.

Shamoon took down 30,000 company computers. It didn’t take down a single industrial control mechanism. In other words, not one oil drill, pipeline, or processing machine was touched by the virus. The computers responsible for coordinating all the Aramco company functions–like, for example, organizing loading trucks with oil barrels–did go down, which meant the product had to sit in the interim. But for an attack on a giant industrial company, their ICS remained perfectly intact. Why?

Some consider Aramco’s security budgeting a point of fault in this story–that they shouldn’t have invested all their money into industrial control systems security, at the expense of information tech. It may have been that Aramco gave more interest to ICS security because the Stuxnet affair in Iran–which totally threw their nuclear ICS infrastructure out of whack–happened only as recently as earlier that year. They evidently didn’t give as much consideration to protecting those 30,000 office computers that were taken down by Shamoon.

For my money, though, their decision was genius. Sure, if they had the money for it–which they probably did–they could’ve put more resources into IT. But if you had to choose, protecting industry controls is the far more cost-effective option. Without thought, Aramco was able to replace tens of thousands of hard drives with pocket money. Replacing significant industrial equipment would have been a whole other thing entirely. That is the sort of thing that could’ve plummeted the country into recession, and spiked the rest of our gas bills.

Only…one mystery was yet to be solved.

When analyzing Shamoon, researchers came to a discovery: the first Aramco computer to have been infected with the virus received it locally–offline, likely via USB.

Do you see where I’m going with this?

It was an inside job!

t turns out that, in showing their hand in that second Paste Bin post, the Cutting Sword of Justice had given away some key information. Researchers already suspected that only an employee with higher administrative privileges in Aramco’s internal network could have propagated the Shamoon virus. By publishing those IP addresses on Paste Bin, the Cutting Sword of Justice gave proven evidence to that theory.

The Saudis had a traitor in their midst. Not just a traitor, but a high-ranking one. We may never know who that person was, or whether he was ultimately caught. What we do know is that the Saudis aren’t too kind to traitors.