31 December 2017

Cyberattack Targets Safety System at Saudi Aramco

BY ELIAS GROLL

Malicious software attacked a safety system in August at Saudi Aramco, the world’s largest oil company, in what is the first-ever example of malware targeting the computer systems designed to prevent a disaster at an industrial facility.

The attack was first described by the computer security firm FireEye in a blog post last week, which did not name the victim of the attack. But a confidential report obtained by Foreign Policy and authored by Area 1 Security, a computer security firm founded by veterans of the U.S. National Security Agency, identifies Aramco as the victim of the attack.


In a statement, Aramco, Saudi Arabia’s national oil company and a pillar of its economy, denied the attack took place: “Saudi Aramco corporate and plants networks were not part of any cyber security attack or breach.”

FireEye declined to comment on its clients or the details of an investigation.

The revelation that Aramco was targeted by malicious hackers comes as the company prepares for what will likely be the largest initial public offering of all time. Saudi Crown Prince Mohammed bin Salman has staked the company’s IPO as the centerpiece of a sweeping reform plan, which seeks to diversify the economy and use the windfall from the sale to underwrite an ambitious modernization effort.

Area 1’s assessment of the attack on Aramco identifies Iran as the likely perpetrator, but other computer security experts who have examined the incident caution against prematurely assigning responsibility. “This is probably one of the most difficult attribution cases that I’ve ever looked at,” said one former American intelligence official familiar with the incident.

The Area 1 report, which paints a complex picture of the malware dubbed Triton, does not contain hard evidence to implicate Iran in the attack on Aramco.

Though the first of its kind to directly attack the safety systems at a critical infrastructure facility, the Triton malware was ultimately a failure. According to FireEye, Triton attacked a safety system known as Triconex, which is manufactured by the German firm Schneider Electric. Triconex is used all over the world, and provides an emergency shutdown function.

Triton attempted to alter one of these safety controllers, which resulted in the controller shutting down an unspecified industrial process. The shutdown prompted Aramco to investigate and discover the Triton software.

Analysts for Area 1 speculate in their report that the malware could have been the product of collaboration between Russia and Iran. While hackers working on behalf of Iran are considered sophisticated, Russia is regarded as more advanced and has carried out cutting-edge operations that have twice resulted in widespread power outages in Ukraine.

No comments: