Cyberattack Targets Safety System at Saudi Aramco

Malicious software attacked a safety system in August at Saudi Aramco, the world’s largest oil company, in what is the first-ever example of malware targeting the computer systems designed to prevent a disaster at an industrial facility.

The attack was first described by the computer security firm FireEye in a blog post last week, which did not name the victim of the attack. But a confidential report obtained by Foreign Policy and authored by Area 1 Security, a computer security firm founded by veterans of the U.S. National Security Agency, identifies Aramco as the victim of the attack.

In a statement, Aramco, Saudi Arabia’s national oil company and a pillar of its economy, denied the attack took place: “Saudi Aramco corporate and plants networks were not part of any cyber security attack or breach.”

FireEye declined to comment on its clients or the details of an investigation.

The revelation that Aramco was targeted by malicious hackers comes as the company prepares for what will likely be the largest initial public offering of all time. Saudi Crown Prince Mohammed bin Salman has staked the company’s IPO as the centerpiece of a sweeping reform plan, which seeks to diversify the economy and use the windfall from the sale to underwrite an ambitious modernization effort.

Area 1’s assessment of the attack on Aramco identifies Iran as the likely perpetrator, but other computer security experts who have examined the incident caution against prematurely assigning responsibility. “This is probably one of the most difficult attribution cases that I’ve ever looked at,” said one former American intelligence official familiar with the incident.

The Area 1 report, which paints a complex picture of the malware dubbed Triton, does not contain hard evidence to implicate Iran in the attack on Aramco.

Though the first of its kind to directly attack the safety systems at a critical infrastructure facility, the Triton malware was ultimately a failure. According to FireEye, Triton attacked a safety system known as Triconex, which is manufactured by the German firm Schneider Electric. Triconex is used all over the world, and provides an emergency shutdown function.

Triton attempted to alter one of these safety controllers, which resulted in the controller shutting down an unspecified industrial process. The shutdown prompted Aramco to investigate and discover the Triton software.

Analysts for Area 1 speculate in their report that the malware could have been the product of collaboration between Russia and Iran. While hackers working on behalf of Iran are considered sophisticated, Russia is regarded as more advanced and has carried out cutting-edge operations that have twice resulted in widespread power outages in Ukraine.

The Triton malware contains an artifact, a Russian name, that could point toward its authorship. The Area 1 report speculates that Russian expertise could have aided the operation but acknowledges that these artifacts could also be false flags to cast blame on Russia, which has a history of carrying out attacks on critical infrastructure.

But the attack on Aramco comes against a backdrop of frequent digital assaults by Iran against Saudi Arabia as a component of the two countries’ regional rivalry, which has intensified as Iranian proxy forces have gained influence in Iraq, Syria, Lebanon, and Yemen.

Hackers thought to be working on behalf of Iran attacked Aramco in 2012, succeeding in wiping 30,000 computers at the sprawling company and grinding operations to a halt. Security experts have linked subsequent cyberattacks on Saudi Arabia to Iran as well.

In recent days, tensions between Riyadh and Tehran have further escalated, as American and Saudi officials have accused Iran of supplying missiles to Houthi rebels in Yemen, which were used against targets in Saudi Arabia.

Aramco represents a natural target in the two countries’ rivalry. “There is nothing more important in Saudi Arabia than the successful launching of the IPO,” said Samantha Ravich, a senior advisor at the Foundation for the Defense of Democracies, a hawkish Washington research group. “This fits with a pattern of going after the main driver of what stabilizes Saudi Arabia, which is at this point an undiversified economy resting on the shoulders of Aramco.”

Though the attack on Aramco ultimately failed, it provides a portrait of conflicts to come. Targeting critical infrastructure with malware represents the bleeding edge of nation-state hacking activity, and taking out safety systems is one way to inflict damage on an opponent’s critical industry.

In a separate report on the Triton malware, the industrial security firm Dragos cautioned that the attack would be difficult to replicate at scale but said the malware represents an important development in the field of cybersecurity. “Adversaries are becoming bolder,” the company noted, adding that an attack on a safety system represents a “considerable step forward in causing harm.”

Joe Weiss, a veteran nuclear engineer and safety expert, said the Triton reports probably only scratch the surface of what happened at Aramco and said an attack on Triconex devices would need to be accompanied by other tools targeting such things as control systems in order to cause destruction.

“If it’s a more coordinated program the implications are really pretty staggering,” Weiss said. “Because these things are used all over the world.”