Cyber Attacks in the Spin Cycle: Saudi Aramco and Shamoon

Posted: 1st November 2012

The takedown of Saudi Aramco’s computer systems on August 15 exemplifies the murky world of cyber attacks. Mainstream reporting on the actors shifted regularly while the technical detail of security bloggers was occasionally glossed over. And despite a wealth of reporting on the attack, disputes continue more than two months after the incident.

But perspective on the attack remains important as security analysts adjust their defenses. We’ve introduced Recorded Future for general monitoring of cyber threats, but we’ll use this post to answer specific questions about media coverage of the attack on Aramco :

  • how did blame for the attack (attribution) evolve?
  • what was the Iranian media’s response to the attack?
  • where do allegations of Iran’s involvement stand?
  • what were the first sources to report the virus hitting Aramco?
  • what has been reported on the Shamoon virus since the attack?

Above, you’ll find a timeline of the attack in retrospect. This includes all of the reporting on the event as of this post’s publish time. Major events are clear: the attack that affected 30,000+ computers (August 15), a follow up threat (August 22), and the Saudi Aramco announcement that their systems were once again operating normally (August 28) despite the viruses damage to hardware and data.

Who Identified Attacker(s)

The early reporting on an attack is important; the first cycle of news can set to tone for casual observers that might not dedicate themselves to follow up. And the first media reports cited an organization called the Arab Youth Group taking responsibility as early as the day after the attack was confirmed.

This is a seemingly juicy piece of the story since the Arab Youth Group ( and a group dubbing themselves Cutting Sword of Justice ( both posted their claims to the attack on Pastebin on August 15, the day of the attack. Is it cynical to think that the name Arab Youth Group fits a media narrative of Muslim anger? Neither group was well defined at the time and both remain generally anonymous.

The Guardian was the first media channel to cite the Arab Youth Group on August 16 whereas the Cutting Sword of Justice claim didn’t hit until much later in Information Week on August 22 .

(note: the links above are the earliest media references identified in Recorded Future; there was an earlier reference to Cutting Sword of Justice made in a blog post from the Norman security group on August 16).

Malware Gets a Name

A post from the Kaspersky Lab blog first pointed out on August 16, one day after the attack, a snippet of code that included the term “Shamoon”. And thus, a new string of malware was brought into the world. Since that post we can see the quick adoption of and reporting on Shamoon over the last two and half months.

Allegations of Iranian Involvement

The earliest analyses of the malware affecting Saudi Aramco noted similarities to a data-erasing virus called Wiper that hit Iran’s oil industry in April. In those reports the suggestion was that Shamoon appeared to be a copycat virus.

There was little well publicized discussion of Iranian involvement in the attack on Saudi Aramco at the start, and it took about a week for allegations to pick up speed. On August 22, cyber security expert Jeffrey Carr published a post on his blog entitled “Was Iran Responsible for Saudi Aramco’s Network Attack?“, which was subsequently picked up by the New York Times’ Bits blog. Carr followed up with a thorough examination of Iran’s possible role in the attack.

Several weeks later in early October, “unnamed former US government officials” came out claiming that Iran-based hackers were behind the attack with Defense Secretary Leon Panetta that same day warning of the cyber security risks from Iran without citing a specific attack. Iran has rejected these claims through a statement from the head of its Cyberspace Center, and some recent commentary has been highly critical of the media’s continued citation and reliance on “anonymous” or “unnamed” officials implicating Iran.

Influential Sources and the Iranian Media

The first prominent media source reporting the attack was Thomson Reuters with reporting led by Saudi based Reuters energy correspondent Reem Shamseddine. The piece was published at 2:06pm EST on August 15 and notes that rumors of a cyber attack on Aramco had spread among traders earlier in the day  (updated note: a Saudi tech blog appears to have been first to officially break the story as tweeted by journalist Ahmed Al Omran at 6:52am EST that day).

It’s interesting to note given the above discussion on Iran that it took until August 28 after Aramco announced its recovery from the attack for English-language Iranian press via Press TV to report on the original incident. Keep in mind that this is a source not particularly mum on cyber issues as you can see from its coverage of cyber events.

Analyzing news on the attack in aggregate, we can gain perspective on the reporting landscape. The blocks below are representative of how frequently a site was the first to report on new cyber events related to Aramco during August:

These results were generated using Recorded Future’s identification of “Cyber Security” events and shows the fastest media outlets to report on new cyber issues related to Aramco during August were:

It’s also be interesting to look at how different sources ranked in describing the attack using different language: malware (top sources: Saudi Arabia News, CSO Magazine, Slashdot) versus hackers (top sources: CSO Magazine, Saudi Arabia News, CNET) versus virus (top sources: Saudi Arabia News, Malaysia Sun, CNET).

What We Learned and What Remains

Let’s circle back on our original questions to see what were stand. Credit for the attack shifted, first between two amorphous organizations and then to Iran. Several groups claimed credit for the attack although the Arab Youth Group was the first cited by the media. Not until a week later did we find reporting shift to another organization, Cutting Sword of Justice, despite its original claims for the attack the day it happened. After being named by Kaspersky Lab, the Shamoon virus was also used against Qatari energy company RasGas several weeks later.

We identified several sources and journalists (Reem Shamseddine and Ahmed Al Omran) to follow for early signals on information security in the Middle East as well as channels to track for play by play follow up. The allegations against Iran still feel speculative (at least from what’s available in the open source) although the Iranian media’s lack of reporting on the event is curious.

So, we leave you with a few questions. Are there organized threats out there that are unrecognized or glossed over while Iran is touted as the boogeyman? Is it intriguing to you that the Iranian media does not appear to have covered the story until after Aramco announced its systems to be back up and running?

What combination of sources would you use to synthesize events like this one in the future? For us, it would likely be a combination of security bloggers at companies like Norman and Kaspersky, the tech aggregators like CNET, and the regional sources like Shamseddine at Reuters that are closest to the action. Lastly, who do you think is really behind the incident, and are you expecting this to be the start of a more significant campaign against energy companies? Share your thoughts below.