‘Shamoon’ Virus That Devastated Saudi Oil Co. Likely to Have Done More Damage

Last month’s cyberattack on oil-company Saudi Aramco has been the subject of a lot of spin. Shortly after the attack, the company said a virus had “damaged some 30,000 computers” but it had no impact on oil production. There are a lot of reasons to doubt that statement. Two weeks after the Saudi Aramco attack another Middle Eastern energy company was hit with a similar virus. It stands to reason that more companies have been or will also be hit.

The first attack was initially reported on August 15, and it was confirmed when Aramco posted the following message on its Facebook page:

“On Wednesday, August 15, 2012, an official at Saudi Aramco confirmed that the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network.”

I wrote at the time that the statement was suspicious, and experts I’ve talked to agree. One said that the machines were “destroyed,” not damaged. Aramco basically confirmed this two weeks ago when it told Reuters:

“Shamoon [the virus] spread through the company’s network and wiped computers’ hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations.”

You don’t destroy 30,000 workstations without causing a vast amount of damage. It might be possible that the attack didn’t directly hit oil production or harm the flow of oil out of the ground. No one I’ve spoken to has suggested it did, but it’s clear that if the company’s statement is true then Aramco used a very strict reading of the phrase “oil production.”

Aramco also said all damage had been repaired by August 26. Again, it’s possible. That seems like an amazingly fix in my opinion but the company does have a lot of money and a lot of expertise.

Five days after the Aramco attack, RasGas, one of the world’s largest producers of liquid-petroleum gas, said it was hit by a similar virus. The company said “production was not hit by the attack.” The BBC reported: “The attack forced the Qatar-based RasGas firm to shut down its website and email systems.”

(BTW, some of the reporters who covered the attack should be ashamed of themselves. I found only one unverifiable source for all of this information, so the phrase “The company claimed” or “The company says” should be used throughout all articles on the topic. Instead readers are given the companies’ pronouncements as if they are fact. At least Reuters is doing it right: “However, one of Saudi Aramco’s Web sites taken offline after the attack —www.aramco.com — remained down on Sunday. E-mails sent by Reuters to people within the company continued to bounce back.” But I digress.)

One thing that hasn’t been mentioned so far: It is almost certain that other companies’ systems have been infected. Why? Energy companies don’t do anything by themselves. Their favorite phrase is “joint venture” because what they’re involved in tends to cost billions and billions of dollars. Joint ventures require a huge amount of interconnection between multiple systems on both sides.

Most recently Aramco announced joint ventures with Shell, Total S.A., Dow Chemical, China Petrochemical (Sinopec Group), S-Oil of Korea and PT Pertamina, Indonesia’s government-owned energy company. That’s just this year. I didn’t look up RasGas’s JVs but I bet there are a lot of them.

So either A) other companies were hit but kept it quiet; B) information from the Aramco/RasGas attacks was used to prevent or find the virus in partners’ systems; or C) more attacks are coming soon.

Take your pick.

It is hard to believe that a man is telling the truth when you know that you would lie if you were in his place.  — H.L. Mencken