See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/261456882

Saudi Arabia's response to cyber conflict: A case study of the Shamoon malware
incident

Conference Paper · June 2013

DOI: 10.1109/ISI.2013.6578789

CITATIONS READS
18 6,752

2 authors, including:

Zakariya Dehlawi
University of Washington Seattle
2 PUBLICATIONS   117 CITATIONS   

SEE PROFILE

All content following this page was uploaded by Zakariya Dehlawi on 23 February 2016.

The user has requested enhancement of the downloaded file.

 Saudi Arabia’s Response to Cyber Conflict:
A case study of the Shamoon malware incident
Zakariya Dehlawi
Information School: University of Washington
Security Engineer: Security Innovation, Inc.
Seattle, USA
zaxim@uw.edu
Abstract—This is a progress report on a case study of cyber-
security at mega-size companies and its importance to the
financial and operational well-being of the company. Our
investigation focuses specifically on Saudi Aramco, the world’s
largest oil company. The company was the target of a severe
cyber-attack on August 15, 2012 that paralyzed their business
network for several months. We analyze the company’s response
to the attack and examine its current policies with regard to
cyber-security. Our goal is to answer the main research question:
How the Saudi Government, the primary stakeholder of Saudi
Aramco, reacted and responded to the attack and how this
response conforms to current cyber-security standards. The
objective is to develop a best-practices benchmark of cyber-
security that provides guidelines to be utilized by Saudi Aramco
and similar companies.
Keywords— Saudi Arabia, Cyber-security, Malware, Cyber-
attack, Cyber-warfare, Shamoon, Security management
I. INTRODUCTION
The global cost of cyber-attacks on industries is estimated
to be of the order of $388 billion USD, according to a recent
study by Symantec [1]. Major oil and gas companies are
suffering an ever-increasing number of cyber-attacks and
security breaches motivated by commercial and criminal
intent, as evidenced by McAfee’s recently published report
that revealed the details of a targeted breach at five major oil
and gas companies in operation dubbed “Night Dragon” [2].
Moreover, the Kingdom of Saudi Arabia is one of the world’s
largest energy suppliers with extensive oil and gas reserves
and plays a critical role in the global economy [3].
Saudi Aramco (Saudi Arabian Oil Company) is the state-
owned company responsible for exploration, production, and
refining of these reserves. The market value of this oil giant
has been estimated at up to $10 trillion USD in some financial
journals, making it the world's most valuable company [4].
Threats against Aramco could potentially jeopardize the
national security of Saudi Arabia. Therefore, the Kingdom has
invested in securing Aramco facilities with an armed force of
33,000 soldiers and 5,000 guards [3].
On August 15, 2012, an unprepared Aramco, was the
victim of a cyber-attack that “wiped” 30,000 computers, and
forced Aramco employees to disable several of its internal
networks for weeks. The attack was accomplished using an
978-1-4673-6213-9/13/$31.00 ©2013 IEEE
Norah Abokhodair
Information School
University of Washington
Seattle, USA
noraha@uw.edu
insidious malware dubbed Shamoon (Or W32.DistTrack) by
antivirus vendors [5], [6].
How could Saudi Arabia, a country so invested in
protecting its critical oil infrastructure, have been vulnerable
to a cyber-attack of this magnitude? More importantly, what is
next? An analysis of the government’s response to Shamoon
can provide an indication of its preparedness for future cyber-
conflict in a region recently wracked by cyber-attacks.
Given the recentness of the event, not much has been
published in academic circles about Shamoon, or about Saudi
cyber-security in general. Much more attention has been
focused on the Islamic Republic of Iran, which was hit by at
least three types of malware used for cyber-espionage and
cyber-sabotage, including the Stuxnet malware, attacks
labeled the future of cyber-war [7]. Thus far, Shamoon has
been almost exclusively addressed by journalists and cyber-
security professionals, although it is likely to be taken up by
academics as further evidence of a growing cyber-war.
The purpose of this study is to examine Saudi Arabia’s
reaction and response to the Aramco attack using the research
question: How did the Saudi Government, the primary
stakeholder of Saudi Aramco, react and respond to the
Shamoon attack and how did this response conform to current
cyber-security standards? It describes the current state of
Saudi cyber-security policies and then analyzes the case to
develop policy recommendations for improving Aramco’s
cyber-security. Moreover, future interviews with Aramco IT
experts will provide a basis for our development of
recommendations to Aramco for developing security best
practices. The goal of the recommendations is to prevent
future cyber-attacks that could cause more damage and
potentially affect energy prices around the world.
II. RESEARCH ISSUES
Research articles on cyber-warfare and cyber-attacks date
back to the early 1990s [8]. To set the context of this study, we
examined the most recent and seminal works.
A. Cyber-Warfare
Since the early 1990s, academics and policymakers have
been warning of imminent cyber-doom [8]. However,
skeptics, such as James Lewis in his formative piece,
“Assessing the Risks of Cyber Terrorism, Cyber War and
73 ISI 2013, June 4-7, 2013, Seattle, Washington, USA
Other Cyber Threats,” have argued that cyber-warfare would
not be a strategic game changer. Lewis argued that critical
infrastructure is inherently resistant to cyber-attacks, and that
the purported effects of cyber-warfare were grossly
exaggerated [9].
Martin Libicki’s 2009 “Cyberdeterrence and Cyberwar,” a
seminal work, draws on historical conflicts and laws to discuss
cyber-warfare and cyber-deterrence. He defines a cyber-attack
as a “deliberate disruption or corruption by one state of a
system of interest to another state” [10].
B. Iranian Cyber-Response Experience
Iran has experienced a number of cyber-attacks since
2009; the public disclosure of which occurred in late 2010
when the existence of the Stuxnet malware was discovered by
cyber-security vendors. Since then, additional malware
versions called Duqu and Flame also struck Iranian
information systems [7]. Of the known attacks, Stuxnet was
the most destructive, targeting the Fuel Enrichment Plant in
Natanz, Iran, and damaging 1,000 of the 9,000 deployed
centrifuges [11].
Since then, Stuxnet has been described as “the future of
cyberwar” [12]. In response, Iran has developed an official
Cyber-warfare Division under the Islamic Revolution Guards
Corps. In 2011, Iran promised, “Should the Iranian cyber army
be provoked, Iran would combat these operations with their
own ‘very strong’ defensive capabilities” [13]. The country
has also allegedly begun investing over $1 billion USD in
improving its cyber-security defenses [14], and has made
plans to disconnect Iran from the internet and develop an
isolated intranet [15].
C. Saudi Cyber-Response Experience
Lessons for Saudi Arabia can be drawn from Iran’s
experience of cyber-warfare, and are especially pertinent since
Iran is Saudi Arabia’s primary regional rival [3]. However,
public English and Arabic sources discussing Saudi cyber-
security are limited, with the exception of a few media
mentions and an article authored by Brigadier General and
member of the Saudi royal family, Prince Naef Bin Ahmed
Al-Saud.
The article was published in early 2012, before the
Aramco cyber-attack and was entitled “A Saudi Outlook for
Cybersecurity Strategies Extrapolated from Western
Experience.” The article examined the steps the United States
took towards forming cyber-security policies, especially with
regards to the role of the Department of Defense and
partnerships with industry [16]. Al-Saud did not provide many
details about the state of cyber-security in the Kingdom.
However, he implied that Saudi Arabia currently does not
provide financial incentives to invest in cyber-security nor is
there coordination between the Ministry of Defense and
critical infrastructure stakeholders regarding cyber-defense.
Al-Saud prophesied that an attack on Aramco could be
considered a national security threat and the Saudi Interior
Ministry in a recent statement declared, “The August cyber-
attack on Aramco’s computer network targeted not just the
company but the Kingdom’s economy as a whole.” Moreover,
74
Al-Saud declared that Saudi Arabia may require the United
States or other foreign nations to step in and assist, “…if
hackers were to compromise servers in a neutral country in
order to interfere with Aramco computer systems” [16].
Al Saud’s article is important because it sheds some light
on the state of Saudi Arabia’s cyber-security policies by a
knowledgeable individual and a member of the upper echelons
of the Saudi military as well as a member of the Saudi Royal
Family. However, critical questions remain about existing
cyber-security policies and future plans.
D. Summary
It is important to place cyber-attacks within the context of
previous incidents and the theoretical framework of cyber-
warfare. By examining Iran’s experience and response to
weaponized malware and demonstrating that they are pursuing
offensive cyber-warfare capabilities, lessons for Saudi Arabian
cyber-security can be determined. The lack of sources
discussing Saudi cyber-security makes the investigation of this
work imperative, as it will further the understanding of the
current state of Saudi cyber-security policies.
III. METHODOLOGY
There are few public details about Saudi Arabia’s cyber-
security policies. The Shamoon malware attack is the only
known cyber-security incident threatening Saudi national
security—making it an ideal case to study.
A. Research Approach
In order to answer the research question, a comprehensive
exploratory case study methodology will be used to
understand the narrative of the incident and the nature of
Aramco’s cyber-security policies.
To conduct the case study, a variety of publically
accessible text sources such as posts by the alleged Shamoon
hackers, press releases by Aramco and the government of
Saudi Arabia, and blog posts and newspaper articles
discussing the attack are being collected and translated.
Additionally, in-depth interviews with key Aramco employees
and cyber-security professionals will be used to triangulate
information derived from the text sources supplementing,
contradicting, or reinforcing details found in the textual
analysis.
B. Research Challenges
Due to the sensitive nature of the incident, and Aramco’s
role as a privately held company, gaining access is a serious
challenge. Once access has been granted, Aramco stakeholders
may also limit the level of detail and ability to publish.
Resolving these issues is of utmost concern.
IV. RESULTS
Once all the sources are collected, analyzed, and initially
ranked, a comprehensive narrative of the incident will be
authored describing the timeline of the incident and the role of
the different parties involved.
Some initial details regarding the incident have been
collected and presented below:
 A. Phase 1: Disclosure (August 15) [5] N. Perlroth, “Cyberattack on Saudi Oil Firm Disquiets U.S.,” The New
York Times, 23-Oct-2012.
• Aramco officials post on their homepage that they were [6] ICS-CERT, “JSAR-12-241-01: Shamoon/DisTrack Malware,”
responding to network disruption suspected to be a result Industrial Control Systems Cyber Emergency Response Team, Aug.
of malware [17]. 2012.
• Hackers, calling themselves the Cutting Sword of Justice [7] J. P. Farwell and R. Rohozinski, “The New Reality of Cyber War,”
Survival, vol. 54, no. 4, pp. 107–120, Aug. 2012.
(‫ ﺳﻴﻒ اﻟﻌﺪاﻟﺔ اﻟﻘﺎﻃﻊ‬in Arabic) post two letters, one in Arabic
[8] T. Rid, “Cyber War Will Not Take Place,” Journal of Strategic
and one in English on Pastebin (a web application for Studies, vol. 35, no. 1, pp. 5–32, 2012.
sharing text) claiming responsibility for the disruption [9] J. Lewis, “Assessing the Risks of Cyber Terrorism, Cyber War and
[18], [19]. Other Cyber Threats,” Center for Strategic and International Studies,
• A second hacker group called the Arab Youth Group, also pp. 1–12, 2002.
post to Pastebin claiming responsibility [20]. [10] M. C. Libicki, Cyberdeterrence and Cyberwar. Rand Corporation,
• The Cutting Sword of Justice followed up with two more 2009.
posts, including a list of alleged internal Aramco IP [11] D. Albright, P. Brannan, and C. Walrond, “Stuxnet Malware and
Natanz: Update of ISIS December 2, 2010 Report,” Institute for
addresses [21], [22]. Science and International Security ISIS Reports, Feb. 2011.
B. Phase 2: Analysis (August 16-17) [12] J. P. Farwell and R. Rohozinski, “Stuxnet and the Future of Cyber
War,” Survival, vol. 53, no. 1, pp. 23–40, Jan. 2011.
• Cyber-security professionals begin analyzing samples of [13] J. Carr, Inside Cyber Warfare: Mapping the Cyber Underworld., 2nd
Shamoon including Kaspersky and Seculert [23], [24]. ed. Sebastopol: O’Reilly Media, 2011.
• A sample is leaked to the general public [25]. [14] Y. Katz, “Iran embarks on $1b. cyber-warfare program,” Jerusalem
Post, 18-Dec-2011.
C. Phase 3: Media Response (August 18-) [15] I. Berman, The Iranian Cyber Threat to the US Homeland.
Washington, D.C., 2012.
• Prior to this point, Shamoon is only mentioned in a few [16] N. B. A. Al-Saud, “A Saudi Outlook for Cybersecurity Strategies
media sources, including ZDNet and the Saudi Gazette Extrapolated from Western Experience,” Joint Force Quarterly, no.
[26], [27]. 64, pp. 75–81, Jan. 2012.
• Majority of mainstream media begin reporting on the [17] Saudi Aramco, “Saudi Aramco responds to network disruption,” Saudi
topic including the New York Times, Forbes, and the Aramco, 15-Aug-2012. [Online]. Available:
www.saudiaramco.com/en/home/news/latest-news/2012/saudi-
Washington Post [5], [28], [29]. aramco-responds-to-network-disruption.html. [Accessed: 10-Nov-
2012].
V. CONCLUSION [18] Cutting Sword of Justice, “We, behalf of an anti-oppression hacker
This research provides a unique opportunity to examine group,” Pastebin, 15-Aug-2012. [Online]. Available:
http://pastebin.com/HqAgaQRj. [Accessed: 09-Nov-2012].
Aramco’s response to the Shamoon cyber-attack. While the
[19] Cutting Sword of Justice, “‫ﺔ و أﻧ ﺎ‬ ‫اﻟﻬ ﺎآﺮز ﻣﺠﻤﻮﻋﺎت إﺣﺪى ﻋﻦ ﺑﺎﻟﻨﻴﺎﺑ‬
research goal is to identify the current state of the Saudi cyber- ‫ﻟﻠﻈﻠ ﻢ اﻟﻤﺤﺎرﺑ ﺔ‬,” Pastebin, 15-Aug-2012. [Online]. Available:
security policies by examining their role in the attack, there http://pastebin.com/nLs9iMCL. [Accessed: 10-Nov-2012].
are potential limitations. Aramco does function as a [20] Arab Youth Group, “‫اﻹﺳ ﻼﻣﻴﺔ اﻷﻣﺔ‬، ‫اﻟﻌ ﺮﺑﻲ اﻟﺸ ﺒﺎب‬,” Pastebin, 15-
corporation, and not as a governmental organization. Aug-2012. [Online]. Available: http://pastebin.com/PUHqDQnd.
However, the government has a large vested interest in [Accessed: 10-Nov-2012].
playing a key role in protecting Aramco as its primary revenue [21] Cutting Sword of Justice, “The network of giant oil company ‘Saudi
source. Given that relationship, it is unlikely to have stood idly Aramco’ was hacked today,” Pastebin, 15-Aug-2012. [Online].
Available: http://pastebin.com/p5C4mCCD. [Accessed: 10-Nov-
by during the attack and during the investigation. 2012].
This work in progress has two important goals: (1) that the [22] Cutting Sword of Justice, “More details discovered about aug/5 cyber
attack on Saudi Aramco - Pastebin.com,” Pastebin, 15-Aug-2012.
exploratory research will document the incident and will be [Online]. Available: http://pastebin.com/5YB3TUH1. [Accessed: 10-
beneficial for future reference and (2) that the literature review Nov-2012].
and the interviews with the Aramco IT experts will provide a [23] Seculert, “Shamoon, a two-stage targeted attack,” Seculert Blog, 16-
basis for our development of recommendations to Aramco for Aug-2012. .
developing security best practices. By identifying and [24] GReAT, “Shamoon the Wiper - Copycats at Work,” Securelist, 16-
analyzing the cyber-security polices we have an opportunity to Aug-2012. .
prevent future cyber-attacks, especially ones that might cause [25] M. Parkour, “Shamoon or DistTrack.A samples,” contagio, 17-Aug-
additional damage and affect oil production. 2012. .
[26] J. Clark, “Shamoon malware infects computers, steals data, then wipes
REFERENCES them,” ZDNet, 17-Aug-2012. [Online]. Available:
http://www.zdnet.com/shamoon-malware-infects-computers-steals-
[1] Symantec Corporation, “Norton Study Calculates Cost of Global data-then-wipes-them-7000002807/. [Accessed: 12-Nov-2012].
Cybercrime: $114 Billion Annually,” Mountain View, CA, 07-Sep-
[27] “Malware attack has no adverse repercussions, says Aramco,” Saudi
2011.
Gazette, 17-Aug-2012.
[2] McAfee Foundstone Professional Services and McAfee Labs, “Global
[28] S. Lawson, “Anonymous Sources Provide No Evidence of Iran Cyber
Energy Cyberattacks: ‘Night Dragon’,” McAfee, Inc., Feb. 2011.
Attacks,” Forbes, 31-Oct-2012.
[3] A. H. Cordesman, Saudi Arabia: National Security in a Troubled
[29] E. Nakashima, “Cyberattack on Mideast energy firms was among
Region. Santa Barbara: ABC-CLIO, 2009.
most destructive, Panetta says,” The Washington Post, 12-Oct-2012.
[4] C. Helman, “The World’s Biggest Oil Companies,” Forbes, 07-Sep-
2010.

75

View publication stats