Researchers Say Shamoon Possibly Linked to Attack on Saudi Oil Company - Security - News & Reviews - eWeek.com | eWeek

Researchers Say Shamoon Possibly Linked to Attack on Saudi Oil Company

Écrit par
Brian Prince
Brian Prince
Aug 22, 2012
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Evidence has surfaced linking the Shamoon malware attack to a group of hacktivists who claim that they are protesting oppression in the Arab world.

Eugene Kaspersky, CEO of Kaspersky Lab, confirmed in a tweet Aug. 22 that the date and time hardcoded into Shamoon matched the date and time of an attack on Saudi Aramco, Saudi Arabia’s national oil company, mentioned in a Pastebin post by a group going by the name “Cutting Sword of Justice.”

“In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime,” the group wrote, stating that the attack would begin Aug. 15 at 11:08 a.m. local time in Saudi Arabia. “In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended [sic] a malicious virus to destroy thirty thousand computers networked in this company.”

As a result of the attack, Aramco said it isolated all of its electronic systems from outside access as a precautionary measure.

Kaspersky researcher Dmitry Tarakanov noted in a blog post that while that particular date and time is hardcoded in Shamoon, the function to check the date does not work correctly.

“If the intention is to divide the timeline into ‘before’ and ‘after’ a particular checkpoint, then the author has failed,” he blogged. “The condition contains a corrupted logic to do this.”

“For example, if the year is 2013 but the current month is less than the target month (say February), then the condition would return a result as if the current date lies before the August 2012 checkpoint value,” he explained. “In fact, this logic is simply flawed and incorrect. This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems. Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”

Earlier this month, Seculert CTO Aviv Raff explained that the attackers behind Shamoon seized control of an internal machine connected to the Internet and used it as a proxy to the external command and control server. Through the proxy, the attacker infected other internal machines and then executed Shamoon, “wiping all evidence of other malicious software or stolen data from those machines.”

In a statement today, he added that the IP address of the proxy server in the Shamoon samples Seculert analyzed is not part of the list described in a related Pastebin post.

“This might mean that those samples are part of an attack on a different entity,” Raff said. “It could also mean that it is indeed part of the attack against Aramco, but the attackers did not to share this IP address in the pastes (assuming the details in the pastes are true, of course).”

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.