Publication: Survival: Global Politics and Strategy April–May 2013
01 April 2013
On 15 August 2012, the computer network of Saudi Aramco was struck by a self-replicating virus that infected as many as 30,000 of its Windows-based machines. Despite its vast resources as Saudi Arabia’s national oil and gas firm, Aramco, according to reports, took almost two weeks to recover from the damage. Viruses frequently appear on the networks of multinational firms but it is alarming that an attack of this scale was carried out against a company so critical to global energy markets. Later dubbed Shamoon, the virus caused significant disruption to the world’s largest oil producer.
Shamoon’s main function appears to have been the indiscriminate deletion of data from computer hard drives. Although this did not result in an oil spill, explosion or other major fault in Aramco operations, the attack affected the business processes of the company, and it is likely that some drilling and production data were lost. Shamoon also spread to the networks of other oil and gas firms, including that of RasGas. The incident comes after years of warning about the risk of cyber attacks against critical infrastructure.
Protecting petroleum operations in Saudi Arabia from physical attacks has been a decades-long priority for Riyadh and Washington. Even a partial disruption of production facilities in an area such as the country’s Eastern Province would have an immediate impact on oil supplies and prices, with knock-on effects for the global economy. Concern about the security of Aramco facilities rose following a failed terrorist attack on its petroleum processing complex at Abqaiq on 24 February 2006. Although Shamoon did not cause physical damage to Aramco production facilities, it affected risk assessment of key infrastructure worldwide. The incident was significant enough to prompt then US Secretary of Defense Leon Panetta to describe the virus as ‘very sophisticated’ and creating ‘tremendous concern’. Panetta also noted that ‘there are only a few countries in the world that have that capability’; his comments helped catalyse speculation that the attack was carried out by Iran.
Of course, Iran itself has been the recent target of apparent cyber attacks. In autumn 2010 reports surfaced of a new strain of malware rapidly propagating on the internet, with concentrations of the virus in .id (Indonesia), .in (India) and .ir (Iran) domains. After its discovery by a security team in Belarus, antivirus companies began publishing analyses of the self-
replicating worm, naming it Stuxnet. Upon analysis, the worm’s sophistication became apparent. It was designed to target several previously unknown weaknesses in Windows, known as zero-day exploits, and alter the operation of Siemens Simatic process logic controller computers, which are used in power plants, production lines and other heavy industry. The virus was capable of masking its presence while controlling and monitoring the systems it infected.