Darknet Diaries - Ep 30: Shamoon
Episode Date: January 22, 2019In 2012, Saudi Aramco was hit with the most destructive virus ever. Thousands and thousands of computers were destroyed. Herculean efforts were made to restore them to operational status agai...n. But who would do such an attack?Very special thanks goes to Chris Kubecka for sharing her story.She is author of the book Down the Rabbit Hole An OSINT Journey, and Hack The World With OSINT (due out soon).This episode was sponsored by Eero. A solution to blanket your home in WiFi. Visit https://eero.com/darknet and use promo code "darknet".This episode is also sponsored by Cover. Visit cover.com/darknet to get insured today.
Transcript
Discussion (0)
Before we get started, if you haven't already, go back and listen to episode 28 and 29 before this one.
It's a little series on the Middle East here, and it's meant to be listened to in that order.
There are some hacker stories that really scare me, and this is one of them.
This one had a potential of causing a worldwide economic crisis.
The world's governments are growing in sophistication, and they're training their troops to hack, and they're building cyber weapons.
And while governments are hacking into other governments, sometimes governments hack into private companies or
cities' infrastructure. Our electrical grid and food supplies weren't built to withstand a fighter
jet bombing them. But should they be built to withstand a nation-state actor trying to hack
into them and destroy them? Maybe.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work,
what kind of car you drive, it's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information
from hundreds of data brokers' websites
and continuously works to keep it off.
Data brokers hate them because delete me, make sure your personal profile is no longer theirs
to sell. I tried it and they immediately got busy scouring the internet for my name and gave me
reports on what they found. And then they got busy deleting things. It was great to have someone on
my team when it comes to my privacy. Take control of your data and keep your private life private
by signing up for Delete
Me. Now at a special discount for Darknet Diaries listeners. Today, get 20% off your Delete Me plan
when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only
way to get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout. That's join delete me.com
slash darknetdiaries. Use code darknet. Support for this show comes from Black Hills Information
Security. This is a company that does penetration testing, incident response, and active monitoring
to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call. I'm sure they can help. But the founder of the company, John Strand, is a teacher, and he's made it a mission
to make Black Hills Information Security world-class in security training. You can learn
things like penetration testing, securing the cloud, breaching the cloud, digital forensics, and so much more. But get this,
the whole thing is pay what you can. Black Hills believes that great intro security classes do not
need to be expensive, and they are trying to break down barriers to get more people into the security
field. And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range, which is great for practicing your skills and showing them off to potential employers.
Head on over to BlackHillsInfosec.com to learn more about what services they offer and find links to their webcasts to get some world-class training.
That's BlackHillsInfosec.com.
BlackHillsInf-N-F-O-S-E-C.com. Blackhillsinfosec.com.
Oh, so you know what's funny?
Not too long ago, we heard the news that Apple was the first company to have a net worth of $1 trillion.
It's funny because it's not true.
Apple's worth that much, but it's not the first company to be worth $1 trillion.
There's another company that's worth 2 to 10 times more than Apple. What is it? Saudi Aramco. You may not ever have heard of Saudi
Aramco before, and neither did I until I started researching the story. And that's because they
don't sell to consumers. Instead, they sell to manufacturers and distributors. So what do they
do? Saudi Aramco is one of the largest oil and natural gas producers in the world.
It controls massive amounts of oil reserves.
It drills it and ships it all over the world.
Saudi Aramco may be the most profitable company in existence and produces 25% of the global oil.
It's not a publicly trading company, though, so we really don't know how much it's worth.
Because Saudi Aramco is huge and operating globally, it has a lot of computers. There are pump stations, plants, shipping terminals, logistics centers, laboratories, research and development centers, and storage facilities.
And let's not forget the teams it takes to run it.
There's an HR department, IT department, marketing, truck drivers, mechanics, engineers, public relations, finance, drilling teams, and advisors. Add all that up, and Saudi Aramco has over 50,000 employees.
Now imagine how many computers there are atamco has over 50,000 employees. Now imagine how many computers
there are at a company that has 50,000 employees. Not only do a lot of them have individual computers
to work on, but there's a lot of servers, domain controllers, email servers, SharePoint systems,
file servers, and more. In 2012, Saudi Aramco had over 40,000 computers in their network worldwide.
Now I say 2012 because that was when the most profitable company in the world
was hit with the most devastating cyber attack any company has ever seen.
To really get into this attack, I brought in Chris Kubeka.
And we'll understand more about her and her role in this attack later,
but for now, we'll have her explain what happened.
Saudi Aramco, like any other oil and gas and energy company, their primary, you know, jewels,
what makes them money is their industrial control systems pumping out oil and crude out of the
ground. And when your primary profit is driven by that, that's where you put your security,
that's where you put your attention. And unfortunately, they did not put very much of any real attention on the IT side. However, what happens is IT and industrial control
systems are connected. In the case of Aramco, and at that time, it was okay for an extremely flat
network across all of that. Think of a flat network like the hull of a ship, but it's just
one big empty space in the hull.
So if the boat hit a rock and made a hole in the hull, the water would fill up the entire hull and sink the ship.
But some boats are designed with compartmentalized hulls.
So if water were to get into one section of the hull, it couldn't possibly fill up the rest of the boat and still stay afloat.
In your network, it's good practice to compartmentalize it.
So if a hacker gets into one section of the network, they only have access to that section.
And in the case of Saudi Aramco, because their network was flat,
once you got into any part of the network, you could get to anything, anywhere.
And Saudi Aramco has offices and locations 60 plus around the world,
in far-flung locations.
There's one location you have to take a ferry for eight hours in Indonesia to go to an island.
The attack hit in August, but they had already gotten into the systems around April to May.
The attackers likely got in through a phishing email.
This is where they'd send a specific employee an email with an interesting attachment or link.
And since the employees had no security training,
it was probably not that hard to get one of them to click a link or open an attachment.
The other part of this equation is that the employee's computer had to not be fully patched.
So for instance, the attackers would hope they're running an older version of Microsoft Word or Adobe Acrobat that has known vulnerabilities.
So when the user would open the Word document,
the file would attempt to exploit one of these known vulnerabilities to gain access to the computer,
and if successful, it would open up a reverse terminal back to the attacker. When the attackers
got into Saudi Aramco, they were able to move around with ease. This is the problem with a
flat network. Their next step is to gain access to a system that communicates to all the other
computers in the network, a domain controller. This system is used for authentication onto the
network, and it provides a map so computers can find other computers. So the attackers focused on these domain controllers. But these systems
were not very secure. Because of extremely weak infrastructure, you could reset a domain
administrator password on the internal system over HTTP, so completely clear text. That's a
domain administrator password. So that gives you an idea.
At this point, the attackers had access to Saudi Aramco's network and had administrative
privileges to the domain controllers, essentially giving them keys to the kingdom.
Now, what was unusual was the Houston Operations Center had actually picked up on unusual activity.
And even though they had no security people, they thought it was
unusual for 250 different devices to be logged in at the same time by the one domain administrator.
So they were picking up on highly suspect activity. And because they didn't know perhaps
how to phrase it, and perhaps it was not well accepted in Saudi, there was not an incident created.
At the time, the person who ran the Security Operations Center decided it was his opinion he would not open an incident for the report from Houston.
Now that the attackers had the crown jewels of the network and nobody was going to stop them, they spent the next three months building their perfect attack. At this point in 2012, August rolls around, which seems to be the perfect time
to attack Saudi Aramco. And what's special about August 2012 in Saudi Arabia? It's the holy month
of Ramadan. In the U.S., offices are almost completely empty around Christmas time. And
that's what it's like during Ramadan in Saudi Arabia. It was a typical company policy that that was a slow period.
The majority of Muslim staff leave.
So what's usually left or what at the time was usually left was a skeleton crew of Western staff at the most.
This would be the perfect time to wage an attack against a company to do the most damage.
There'd be nobody to stop it and the reaction time would be very delayed.
That's just what happened. On the 15th of August, a warning was sent, but it would be a warning that Saudi
would not notice. The day of the attack, at 9.08 a.m., a pastebin was posted up that said,
we, the internet users of the world, are bringing, you know, basically to the world's attention
that there is blood on your hands,
the regimes of Saudi Arabia and all this.
But we know how you fund a regime is through Saudi Aramco.
So what we have done is we have attacked
European computer systems to get into the Saudi Aramco systems
and have destroyed 30,000 computers.
It will go off in two hours.
The peace bin was signed by someone calling themselves the cutting sword of justice. And Saudi Aramco didn't get the message.
They weren't scouring pastebin looking for things like this. And their staff was mostly gone anyway.
So this warning was never received. So they had no idea this was coming.
And at 11.08am.m., things started shutting down.
At the exact same time, all across the Saudi Aramco office,
computers were starting to display burning American flags.
Each computer was corrupted with a nasty virus
set to delete everything on that system.
Because what was happening is the wiper virus that got into it,
when it would eventually get down to some of the Windows files that were pertinent and the master boot record, it would then force a shutdown.
And if you tried to restart it, you lost your master boot record.
So you couldn't immediately pull everything back up.
And things started shutting down.
This wiper virus would be known as the Shamoon virus.
It was a logic bomb set to go off at a particular time on a particular day.
A logic bomb is a virus or program that's set to trigger when a certain condition occurs.
This logic bomb was set to trigger at 11.08 a.m. on August 15, 2012,
with the instructions to wipe the hard drives, rendering them unusable.
And since the network was flat and not very secure,
a lot of computers were hit with this logic bomb.
About 35,000 systems, 85% of their IT infrastructure was taken out.
35,000 computers had become completely unusable all at the same time.
This is the most destructive malware to ever hit a single company.
If you lined up 35,000 computers in a row, it would be six miles of computers. When you tried
to reboot the computer, it would simply say operating system not found because it had been
completely wiped. Imagine if something like this happened where you work, where everyone's computers
were suddenly unusable. This isn't just a network down or an email down.
Everyone's computers wouldn't boot at all.
There was no operating system.
All saved files were gone.
All software was deleted.
And many of the backup servers were obliterated too.
This was devastating.
This virus specifically targeted machines running Windows.
And anything connected to them that relies on them, like Windows DNS, Windows DHCP,
the VoIP that would also rely on any Windows server, Windows backup servers,
the auto truck loading system, and the payment systems also were inoperable,
as well as all the middleware, so they couldn't access contracts.
And in addition, they had gone to green and fully digital,
so all of their contact lists, people that they could call were on SharePoint.
They didn't even have SharePoint.
They had no employee list.
They couldn't even look at a roster.
There were no emails.
Phones didn't work.
There were no shared data sources like SharePoint or file servers.
This was a massive disruption to the most profitable company in the world. 85% of their computers were down permanently. But this virus did not attack
the industrial control systems found at pumping plants, pipelines, or drilling sites. Oil production
was still completely operable. That's because the company focused their security on these systems.
But also the attack did not target industrial systems.
But the problem was there were no computers to say who to ship the oil to or where it was supposed to go.
And they had no contact information for anyone either to notify customers of the outage.
At this point, Saudi Aramco was scrambling to figure out what had happened.
And they were afraid this virus would spread to more systems and take out oil production.
Emergency meetings were being set up like war rooms in the Aramco offices.
The CEO was also present.
As they realized the size of this destruction, an extreme decision was made.
So they rapidly started unplugging everything.
They took the decision. They did not want it to spread.
So they decided a very severe decision, And I think the first time ever,
Saudi Aramco completely disconnected themselves from the internet, which also had other
consequences, such as when you're dealing with industrial control systems, say Honeywell or
Siemens, they remotely monitor and maintain that equipment under their maintenance contracts, they were also
disconnected because they did not want anything to spread or for them to be the pivot point to
anyone else. The CEO made the decision to take one of the largest companies in the world offline.
And this is never an easy decision to make, but it's probably the right one. On one hand,
shutting down like this has potential worldwide effects and can cost the company tons of money.
But on the other hand, not shutting down is potentially more severe and can potentially cause even more loss of money.
Saudi Aramco provides about 25% of the world's energy.
So what would happen if 25% of the world's oil market is taken out in one day?
This is why this story scares me.
A single hack like this has the potential to wreak havoc on the world.
Imagine if gas prices quadrupled overnight,
or imagine if there was a worldwide shortage of petroleum-based products like plastics or fertilizer.
The reverberating effects of this one incident could put the globe in a panic.
In addition, Qatar, the country, their national oil company is called Rasgas.
And Rasgas was also affected and disrupted in a similar manner.
But they do not discuss it whatsoever.
So they have about 14% of the world's energy market, especially with natural gas.
And then you couple that with Saudi Aramco, 25% of the world's energy.
That's in a two-week time period. And so that was the risk
to the rest of the world. It could have obliterated financial markets. Strangely enough, when Cutter's
oil company was hit with the same virus, their version did not have a burning American flag on
it, which raises a lot of questions. But these two companies combined supply 40% of the world's
oil and natural gas. Whoever waged this attack was trying to cause financial
ruin to a lot of people and companies. on your company's exposure is more important than ever. I recently visited spycloud.com to check my darknet exposure
and was surprised by just how much
stolen identity data criminals have at their disposal,
from credentials to cookies to PII.
Knowing what's putting you and your organization at risk
and what to remediate is critical for protecting you
and your users from account takeover,
session hijacking, and ransomware.
SpyCloud exists to disrupt cybercrime
with a mission to end criminals' ability to profit from stolen data.
With SpyCloud, a leader in identity threat protection,
you're never in the dark about your company's exposure
from third-party breaches, successful phishes, or info-stealer infections.
Get your free Darknet Exposure Report at spycloud.com slash darknetdiaries.
The website is spycloud.com slash darknetdiaries.
When the Shamoon logic bomb hit Saudi Aramco, it took out a huge portion of their computers,
but didn't impact their drilling sites or pipelines.
But the scene was chaotic there and confusing. Nobody knew what trucks to load up with what oil
and where to send it, so the decision was made to load up any trucks with any oil you had and
ship it out. Oil continued to flow to supply the world even if it meant giving it away free,
which is what they did at times. But because of the chaos and outages, it was really slow
filling the trucks up.
Sadia Ramko made a public Facebook post
announcing the attack.
It said,
We are suffering from some sort of
digital or cyber attack
and we have chosen to disconnect
from our business operations
and production from the internet.
So at that point in time,
we could not send an email to them.
It kept bouncing back.
It just snowballed from there.
As the company scrambled to understand the impact
and get things operational again,
they knew they needed more help.
They simply didn't have a good security IT team
to handle this kind of incident.
Before this attack in 2012,
Saudi Arabia simply didn't take security very seriously.
There were no government branches focusing on cyber defense.
They had a Saudi cert, but it was crude and inefficient.
And when the government kind of ignores the importance of security,
it trickles down to many other companies within the country.
So security simply wasn't a big industry in Saudi Arabia at the time.
Saudi Aramco was trying to hire as many security consultants as they could,
but they ran out of people quick. So they started hiring vendors, but there were problems with this
too, and they needed even more help than that. They decided they needed an outsider, someone
who's secured global networks before, and someone who they could hire to be part of the Aramco team.
That's when they called Chris Kubeka. Yes, they called me out of the blue.
It was very odd because I'd never imagined myself working for that type of organization. And I was coming back from a holiday from Tanzania. I was transiting in Istanbul and I was hoping that I could get in the lounge because I'm so tired, but, you know, good food. And, uh, my phone rang and usually I won't answer my phone in roaming, but I did anyway.
And they're like, Hey, this is a Ramco. We would like to talk to you. We would like to hire you.
And I'm like, okay. Cause I'm not sure that this is a legitimate call at this point.
It's out of the blue. I've, I've never applied for that. And I'm like, all right. So tell me
about the role. And they're like, well, Ramco, we've been under attack.
We need to get all of our security ramped up as quickly as possible.
I'm like, OK.
Chris Kubeka is a well-connected, respected and experienced security professional.
She's given a few talks at various conferences around Europe, which is how Saudi Ramco knew of her.
But her profile is very impressive.
She's been using computers since she was a young child, and then joined the U.S. Air Force,
and then joined the U.S. Space Command to work on communication systems to space. From there,
she did consulting work and started leading security teams, and eventually worked her way
over to being a security consultant for a very large financial services company in the Netherlands,
which is where she was living. She's experienced with securing large networks and handling large-scale incidents.
And throughout all this, Chris had gathered a lot of connections
and made a lot of friends in the security industry.
Not to mention her global experience that she's had traveling the world
and even picking up a few languages on the way.
So choosing her for this role of bringing one of the largest companies in the world back online
was a good choice.
The problem was, Chris already had a job leading the security
team for a large financial services company in the Netherlands. So she wasn't interested in another
job. And they go, well, we just need to know a price. Can you give us a price? I go, okay.
Picked a price, which I didn't think that they would agree to. I said, here's my price.
He goes, we'll get back to you.
Okay.
I was like, that's an odd phone call.
Chris literally pulled a number out of the air,
one that was much higher than she would expect anyone to accept.
They called me back a week and a half later and said, well, the board was convened and they actually raised your price by 20%.
I'm like, the board?
Yes, the Saudi Aramco board.
And it was about that time that I kind of realized that that was the most powerful organization in the world.
And they convened a board and gave me an additional bump up from what I had asked for.
And they definitely wanted me.
And it was also at that point I said, I know my name is Chris.
I know I don't have a
very high voice, but I do know I'm a woman, right? They're like, yes, yes, yes, we do. We do. I'm like,
okay. And I go, well, you know, I have a position. And I go, well, don't say no, just say maybe.
And I go, okay. Chris listened to the Saudi Aramco team and heard firsthand the total destruction that was caused.
And the recruiters were so happy she was considering the role.
They had basically said, you can hire whoever you want.
You can basically have, you know, like an unlimited budget.
They can have like 20,000 euros every year for training, that they're always trained up.
And I was very excited to be able to build a
world-class team to tackle this chaos. And I thought it was a fantastic opportunity, which it was.
Chris took the job and got right to work building her team. She pulled out her contact list and
began recruiting. It's hard to find good security talent today because there isn't enough talented people to go around and all the good
ones are taken. But with a massive budget, lots of training dollars, and the excitement of working
on one of the largest hacks in history, she was able to find some pretty great people.
I looked for all the rock stars that I had already written up on a bit of a dream list and I got
seven out of ten. One of the biggest incentives was that massive training budget for each analyst.
This alone is a great lure, since most security professionals are excited to learn about latest
technology, so knowing that the company is going to invest in their expertise was exciting.
Not only that, but she also gave each person 10% of their time to work on their own projects.
When you have really talented people sitting around with free time on their hands,
you end up making tools
that make the team more effective.
Many of these folks also spoke multiple languages.
So I had Dutch, Romanian, Cypriot.
I had, I don't know, Indian.
I had Italian.
When defending a global company such as this,
you need many languages in your security staff
to be able to communicate effectively between organizations and teams,
but also be able to identify threats in various regions.
When Chris assembled the team, she made it a point to not overwork anyone
and give everyone adequate breaks.
Their average work week was 36 hours per week,
and this made them less stressed and excited to get back to work.
I always had rested, alert analysts.
They enjoyed what they did.
They got to do projects that were related.
They were doing fantastic things.
So they were able to not feel constrained.
And they were always taught on the newest and greatest stuff.
I did not want a group of analysts who had training from last year looking at today's threats because that
just doesn't work. Our threat actors are nation state, cyber criminal, hacktivist, anything and
everything in between. Our threat profile is extremely high. We needed the best of the best,
not someone who got a search five years ago and hasn't taken a course since.
While Chris was busy building her team and getting them up to speed,
Saudi Aramco had began rebuilding the infrastructure.
Basically what they did was, they have so much money,
and they also own the largest private fleet of aircraft.
They sent their private fleet to the factory lines in Southeast Asia
to buy up the world's supply of hard drives immediately
to replace all the hard drives at Saudi Aramco. Some of the hard drives were slightly damaged from this attack
and the company didn't want to reformat them and start over because maybe they could recover some
data on them. So since Saudi Aramco had enough money, they just decided to buy tons of hard
drives as fast as they could. This took months to fully purchase the number they needed. It was 85% of their IT infrastructure,
but you're also talking about backup servers,
all of this type of stuff.
So you're talking about many more than,
you know, 35,000 hard drives, for instance.
That's a lot of hard drives.
A single manufacturer could not produce
that many hard drives to fulfill the demand.
So Saudi Aramco would fly their jets
to a few different manufacturers at once to get them as soon as they came off the factory floor. And as if this wasn't
bad enough for the world's supply of hard drives, at the same time, a massive typhoon hit Asia,
halting production for some of the hard drive facilities. So if you bought a hard drive between
September 2012 and January 2013, you will notice that there was a rise in worldwide hard drive prices because Saudi Aramco bought the supply and everyone else was paying a tax, basically.
Chris was based in a city in the Netherlands called The Hague, and this is where she built the Security Operations Center.
Immediately, she knew she needed to integrate her team into the Saudi Aramco culture.
So she began rotating each of her analysts to go work in Saudi Arabia for a while. In exchange,
she'd get someone from IT from Saudi Arabia to come work in her operations center in The Hague.
She didn't want a repeat of how Houston, Texas detected this attack four months earlier,
but couldn't communicate it effectively to Aramco. Integrating her team into the culture
was a great success. Her first task was to gain
visibility into the network. Because otherwise you can't see if another attack is coming through.
And that was a huge challenge because there was a whole segment where there was zero visibility,
and that was a huge issue. That was number one, absolute number one. Number two was looking at
the best practices because my team, the minimum
level of experience in a SOC was five years. So all of us were highly experienced. So we were
bringing over best practices. And in the mix, there were a lot of foreign contractors who were
put into roles until the Saudi people could get up to their capabilities. Chris and her team began triaging the network to make it more secure.
They did things like audit the network, help IT secure systems better,
monitor for attacks, and harden the network.
But while Chris's role was important, there were many other security teams worldwide
also helping to resolve this incident.
Both internal and external people were helping to get things back on track.
In fact, even a few other countries helped out to get things operational again.
At this point, oil trucks started getting backed up at pumping stations and drill sites.
Like ridiculous backups. Picture the worst traffic backup you've ever seen.
And that was the situation.
A journalist saw this and took a picture of an endless amount of trucks in a row with no oil
and wondered what was going on here.
At this point, the news was starting to spread that Aramco was hit hard with something big.
The attackers continued to attack the infrastructure and Saudi Aramco had to disconnect from the internet three times. They thought that they were up, they got everything
up and running, and then the attackers launched a massive DDoS attack against them.
Then, at the same time, they were able to get back in again, because when they had first put up the first better security appliances on the perimeter,
I'm not sure who did this, I think it was one of their contractors, had left some of the stuff with default usernames and passwords
on the network and security appliances.
So the attackers were able to get back in briefly,
and they posted this because it was very taunting,
and they were able to get the new password and email address
for the CEO, Sadia Ramko, and the executive board,
and they pasted it on Pastebin and said,
we're not through with you yet.
This pastebin was also signed by the cutting sword of justice.
And this is when Sadia Ramko started noticing not only this pastebin,
but also the previous ones posted on the day of the attack.
Chris and her team continued to defend the network
and find any vulnerabilities and patch them.
This took a lot of work to get things operational again.
About three and a half months to really get back to normal.
And that three and a half months was basically working with an unlimited budget to get things
back on track and oil flowing properly. If this company didn't have a budget like that,
this would have either destroyed the company or degraded it for years.
Another thing worth mentioning here is that Saudi Aramco is very adamant about not
buying any Israeli-based software. For instance, firewalls made by Checkpoint are never an option
for securing the network because Saudi Arabia really doesn't like what Israel has done to
Palestine. And since Checkpoint firewalls are made in Israel and started by a former member
of the Unit 8200, the Saudi government won't buy their products. And I suppose it makes sense if
you know a country is spying on you
and former military spies make a firewall,
you probably don't want to buy that firewall for your network.
But even when Saudi Aramco had things back up and operational,
there were still problems that would occur.
The employees, this was one thing I found very unusual.
Because there had not been any, say security awareness uh training for them before the attack
when the employees came back they didn't really want to touch a computer
they were kind of afraid they're like oh my god what if i'm the one that opens the email attachment
and then brings the system down because of a phishing attack and so there were people who
didn't really want to use the systems. And I can understand.
And it also took time after the attack.
You then have to start.
You need the people on the computer systems, not in the security awareness programs, but you also need them in there.
So what do you do?
Do you get your operations back first?
These people are like, I'm not opening that email.
You have to open my email.
No. So it was, it's almost like
they got a post-traumatic stress disorder from the cyber attack. It was, it was very, very unusual.
If I was a psychologist, I would love to do some sort of paper on the topic.
Once things started settling down, Saudi Aramco government began looking into who conducted this
attack.
The pastebin messages were signed by the Cutting Sword of Justice, which appeared to be an activist group, but some of the messaging in there was suspicious.
The Shamoon virus was also analyzed thoroughly to look at traces of information that could lead to who wrote it.
Combine this with the additional logs and forensics data and the picture started to become clear.
According to the Saudi Arabian government, it was the country of Iran.
There are a few theories as to who was behind this attack. It could have just been a group
of people wanting to drive up oil prices, or actually an activist group mad at Saudi Arabia.
We don't know all the details, or exactly who and why. But some security researchers believe
this was a retaliation
from Iran because of the Stuxnet attack that hit their nuclear facilities. But if the US and Israel
attacked Iran with Stuxnet, why would Iran attack Saudi Arabia in retaliation? This is a very
complicated question. The first clue is that the Shamoon virus had a burning American flag on it,
and Saudi Aramco was actually started by an American company. First, it was started by the
Standard Oil Company of California, and then it eventually changed its name to Aramco, which
is short for the Arabian American Oil Company. And from there, the Saudi government saw how
profitable it was and fully took over the company. And today, this is where the bulk of Saudi
government money comes from. So you can see Saudi Aramco has a deep connection with the U.S.
But the U.S. relies heavily on oil from Saudi Arabia,
so impacting the oil supply to America could cause financial ruin to the U.S.,
bringing a lot of businesses to a halt.
Additionally, Iran and Saudi Arabia have long-standing feuds between them.
They often argue about politics and religion.
But the thing is, the Iranian government never took credit for this attack.
So if they did this as a show of force or some kind of saber rattling, why wouldn't they take
credit for it? There were some news articles that stated Saudi Arabia captured and arrested
dozens of Iranian spies not long after this attack. It's unclear, but it's possible these
spies were somehow part of this hack, possibly doing reconnaissance or doing some sort of social
engineering to get internal information about Saudi Aramco. Over in Iran is the Islamic Revolutionary Guard Corps, or IRGC. This is one
of Iran's armed forces, and it has over 100,000 people. In the IRGC is the intelligence gathering
units, which is where we presume are a number of hackers working for the Iranian military.
In fact, one IRGC general stated that they have the fourth
biggest cyber army in the world. But there's also a group called the Iranian Cyber Army.
And this isn't a military group, but rumors say it was started by the IRGC. This hacker group has
pledged their allegiance to the supreme leader of Iran, and they conduct hacks to help Iran out.
It's a very secretive group, but it's possible they do some of the more dirty work for
the IRGC. So the Iranian government can claim that they didn't do it. This incident with Saudi
Aramco is known as the Shamoon attacks one. There's now Shamoon attacks two and three that
are still ongoing against Saudi Aramco and Saudi Arabia, especially hitting Saudi Arabian critical
infrastructures and airports have been affected.
So it is still ongoing.
The thing is, is that nations aren't even at the point yet of being able to talk about what cyber capabilities they have,
much less be able to have an open conversation of how to conduct cyber warfare between nations.
Many countries are developing cyber capabilities,
and they're watching big players like the U.S. on how to conduct themselves in this space. And seeing things like Stuxnet leak and the U.S. denying it just
makes these countries follow suit and also conduct ultra-secret missions. We're still in the first
generation of this new weapon. And when things are this new, there aren't any rules or regulations
yet. There isn't any playbook or proper way to conduct yourself. And because of all that, it will
be abused. Nations will do whatever they want, whenever they want, because that's just how it
is right now. It's naive to think nations aren't constantly spying and infiltrating on each other
using cyber weapons. Which is probably why when there's an attack like this, it's not treated
like an act of war. Because we don't know what a cyber act of war looks like yet. When we see
mass casualties from a hack and a nation claims responsibility for it,
then I think that'll be one.
But in this case, some computers were damaged and an unknown group claimed responsibility.
And somehow, this didn't cause a worldwide panic in oil prices
and everything went back to normal in a few months.
Before this event, the Saudi government didn't put a lot of effort into their cybersecurity program.
And to me, it's crazy to think of a nation such as this not paying that much attention to online security.
But since then, in 2017, 2017 is when they launched their Saudi National Cybersecurity Center,
which is a government-ran organization built to protect their critical infrastructure and government from cyberattacks.
This has a great trickle-down effect to the whole nation, because security really does have to start at the top of any organization,
including an entire nation. So now many more organizations are also taking security seriously
because the Saudi government did. The operations center that Chris built in The Hague is still up
and monitoring Saudi Aramco, but she's since moved on to higher-profile projects. And here's a bit
of advice from her on how to prepare yourself for an incident like this. Digitization is fantastic,
but in an emergency, you always need a paper copy of contacts. That's a very good idea. We also
carried coded contact information cards in our wallets in case of emergency so that we could
have a very, very quick response. That was one of the big things that was lost during the attack
because you couldn't even get a phone number.
And also printed out playbooks.
So in case of emergency, it's a calming factor that you can hold something
in your hand and look at it.
And even though it's not going to match up perfectly,
it helps you from losing your sanity.
And you can go off of that.
And having those printed out
and contact cards are invaluable in the case of any incident.
You've been listening to Darknet Diaries. A big thanks goes to Chris Gubeka for sharing her story.
And if you want to learn more from Chris, guess what?
You can.
She has two books out now.
Her first one is called Down the Rabbit Hole, an OSINT journey.
And her newest one, which should be out in a few days, is called Hack the World with OSINT.
I have a copy of the first one right here.
And it's packed full of labs you can do to gather personal and private information on companies and governments that are leaving their data right there in the open for anyone to see. She demonstrates how to gather publicly available,
yet sensitive data related to Panama Papers, the Democratic National Party, Trump's websites,
the Republican National Party, and even the Dutch voting system. If you want to get better at open
source intelligence gathering, check these books out. I'll link to them in the show notes. Please
consider donating to this show through Patreon. Very soon I'll be giving bonus episodes to supporters there.
This show is made by me, the dull blade of mischief, Jack Recider.
The intro song and the song you're hearing right now is made by the shrouded Brickmaster Cylinder.