The Shamoon attack was a cyberattack that targeted Saudi Aramco in 2012 and 2016. Attackers were able to gain access to Saudi Aramco's systems through a phishing email that exploited known administrator passwords. The malware wiped data from over 30,000 machines at Saudi Aramco, preventing them from rebooting and forcing the company to shut down its corporate network. The attackers' motivations were believed to be cyber activism against the Saudi government or retaliation for Western actions against Iran. Saudi Aramco took 5 months to fully recover from the attack and implement new security measures.

1. Shamoon Attack
Angela Kozma, David Vera,
Justin Baker, Nur Jahed, Tyler Whittaker

2. Agenda
● What is Shamoon
● Attackers
● Target
● Vulnerability
● Motivation
● Approach
● Dropper
● Wiper
● Reporter
● Shamoon 2
● Outcome
● Prevention and recovery
● Exploit
● Conclusion

3. What is the Shamoon Attack?
● Malware that attacked newly updated 32 bit Windows NT
kernels.
● At the time the malware was distinct from other viruses
due to its destructive nature
● The virus was simply designed to cause maximum
devastation to the target- Saudi Aramco
● The Shamoon Attack was carried out twice, once in 2012 &
2016

4. Attackers
● Cutting Sword of Justice
● Have not been caught or identified
● Sent a phishing email that contained a bad link
which allowed the hackers to gain access

5. Target
● Saudi Arabian Oil Company, also known as Saudi
Aramco
● Have the 2 largest oil reserve in the world
○ Supply 10% of the world's oil
● 10.53 million barrels of oil per day

6. Vulnerability
● Admin passwords was already known
● Email contained malicious link
● Most staff was on holiday
● Windows User Access Control exploited
● Registry modified
● Network allowed worm to spread

7. Motivation
● Act of Cyber Activism
● Fed up with Al Saud Regime oppression against other
countries
● One theory is that the attacks are retaliatory measures
against the U.S. for:
○ Stuxnet, the U.S-Israeli backed malware that disrupted
Iran’s nuclear enrichment program
○ Payback for the severe U.S.-imposed sanctions that have
sent the Iranian economy into a tailspin.

8. Motivation Cont.
● The other theory suggests that the attack was highly
motivated by the “deep-wrath”, against the Saudi
Government because of:
● The Saudi government’s assistance to Sunni(denomination
of Islam) factions in Syria and Bahrain.
● The mistreatment of the Shiites(other denomination of
Islam) by Saudi Aramco.

9. Approach
● Shamoon used a destructive malware to wipe data from about
30,000 machines and prevented the machines from rebooting
● The worm-like malware that was used, corrupted files on a
compromised computer and it overwrote the Master Boot Record
(MBR) to make an effort to make the computer unusable

10. Approach Cont.
● At the time of the initial attack it was thought Shamoon was a
copycat attack that mimicked Wiper
● Three components that Shamoon has used were:
○ Dropper
○ Wiper
○ Reporter

11. Dropper
● Main area where the original infection starts (The main
component of the attack)
● How it works:
1. Copies itself onto the system and will drop files embedded
into resources
2. Also, make copies of itself on shared networks
3. Create a task to execute itself whenever Windows starts

12. Wiper
● Responsible for the destructive functionality of the threat that is
being placed
● How it works:
1. Deletes existing driver from certain locations and overwrites
them with another real driver
2. Then executed commands that collect file names, which gets
overwritten and becomes useless to the users
3. The MBR will get overwritten so that the computer can no
longer start

13. Reporter
● Reports infection data back to the attack
○ Ex: domain name, the number of files that
were overwritten, and the IP address of the
compromised computer

14. Shamoon 2.0 Approach
● The approach for Shamoon 2.0 is very similar, but the
technology is more advanced
● 90% of the original code used in Shamoon is being reused
○ But comes with a fully functional ransomware module
○ Common wiping functionality
○ Installs a legitimate-looking driver
● Dropper and Wiper are the same expect the final part of the
attack was completely automated

15. Shamoon Attack

16. Outcome
● Aramco was forced to shut down corporate network
○ Trucks were turned away since electronic payment was
down
● The attack could have been much worse
○ No drops of oil
● Five months later a new secured computer network and an
expanded cyber security team was implemented

17. Prevent an attack and
Recovery
● Ensure privileges are given to the right people
● Email and web browsing is a huge vulnerability
● Don’t let your guard down
● Network firewall rules
● 3,2,1 backup rule
● Access internal threats

18. Exploit

19. Conclusion
● Wakeup call for Saudi Arabian Oil Company
● Attacker was able to gain access, read, and destroy data
● Took 5 months to fully recover

20. References
Alelyani, S., & Kumar, H. (n.d.). Overview of Cyberattack on Saudi Organizations. Retrieved from
https://journals.nauss.edu.sa/index.php/JISCR/article/view/455
Case, D. U. (2016). Analysis of the cyber attack on the Ukrainian power grid.
Electricity Information Sharing and Analysis Center (E-ISAC).
Mills, E. (2018). Saudi Oil firm says 30,000 computers hit by virus. Retrieved from
https://www.cnet.com/news/saudi-oil-firm-says-30000-computers-hit-by-virus/
Pagliery, J. (2015, August 5). The inside story of the biggest hack in history. Retrieved November 5,
2018, from https://money.cnn.com/2015/08/05/technology/aramco-hack /index.html
Perlroth, N. (2012, October 24). In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.
Retrieved November 13, 2018, from
https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-
us.html
Saudi Arabia Crude Oil Production:. (n.d.). Retrieved November 12, 2018, from