'Shamoon' computer virus attack marked new height in international cyber conflict

Feb 13, 2013 by Jeff Falk

The deployment of the "Shamoon" computer virus against the Saudi Arabian Oil Co. last year was an important new development in international cyber conflict. Shamoon must put all providers of critical services on alert and requires concerted action by governments and private interests, according to a new working paper from Rice University's Baker Institute for Public Policy and the International Institute for Strategic Studies (IISS) in Manama, Bahrain.

The paper, "Hack or Attack? Shamoon and the Evolution of Cyber Conflict," was co-authored by Christopher Bronk, a fellow in at the Baker Institute, and Eneken Tikk-Ringas, a senior fellow for cybersecurity at the IISS. The paper documents the Shamoon case and considers its impact on broader policymaking regarding the Middle East, energy and cybersecurity issues. The paper has been approved for publication in the March issue of the journal Survival, and Strategy.

"Although the Shamoon attack did not result in any physical damage to in the Middle East, there has been a secondary impact on risk assessment for providers of critical services worldwide," Bronk said. "Shamoon is a reminder that enterprises need to be alert about the possibility of becoming the target of a politically motivated cyberincident."

On Aug. 15, 2012, the Saudi Arabian Oil Co. (also known as Saudi Aramco) was struck by a that possibly spread across as many as 30,000 Windows-based personal computers operating on the company's network. The company is Saudi Arabia's national petroleum concern and a producer, manufacturer, marketer and refiner of crude oil, natural gas and . According to news sources, it may have taken Aramco almost two weeks to fully restore its network and recover from the disruption of its daily business operations caused by data loss and disabled workstations resulting from the incident. The computer security research community dubbed the virus Shamoon.

While Aramco leadership has asserted that production was unaffected, the authors said there are important questions from the Shamoon case germane to other players in oil and gas and elsewhere in industry. "But the critical point for policy is how government, commercial actors, the international system and other players share and manage cyberincident risk," Bronk said. "Shamoon identifies just how broadly a major cyberattack can impact key national capabilities and concerns."

The authors argue that the Shamoon incident calls for a review and refinement of critical infrastructure policies (CIP) and joint efforts between governments and private interests.

"Developing working public-private partnerships in CIP is a challenging task, as it requires very careful consideration by government of relevant business goals and processes as well as appreciation of the governmental threat assessment logic and the required supervisory steps by the private sector," Tikk-Ringas said. "Although the need for public-private protection and defense models has been acknowledged, the policy goals and business routines are difficult to marry without resistance." She said a plan of action for achieving a working CIP model will need a balanced role division.

The authors said cyberattacks against critical infrastructure are unlikely to go unnoticed, and therefore, an appropriate response is in order. "This raises the questions of strategic communications, decision-making about who responds to which aspects of the incident and how," Tikk-Ringas said. "Such transgressions challenge national security and raise the questions of use of force considered by lawyers of international conflict. Therefore, responses to CI cyberincidents matter from both national authority and general deterrence perspectives and, in the light of the Aramco-Shamoon incident, require special attention by enterprises, governments and international organizations alike."

Explore further: Celebrities' nude shots removed from some websites

More information: "Hack or Attack? Shamoon and the Evolution of Cyber Conflict" working paper: www.bakerinstitute.org/publica… rConflict-020113.pdf

add to favorites email to friend print save as pdf

Related Stories

Cyber war targets Middle East oil companies

Oct 22, 2012

Middle Eastern oil and gas companies have been targeted in massive attacks on their computer networks in an increasingly open cyber war where a new virus was discovered just this past week.

Virus origin in Gulf computer attacks in question

Sep 04, 2012

(AP)—Security technicians are beginning to suspect that highly targeted virus attacks were behind the recent crippling of computer systems at two major Gulf energy companies, even as questions swirl about ...

Recommended for you

Startups offer banking for smartphone users

Aug 30, 2014

The latest banks are small enough to fit in the palm of your hand. Startups, such as Moven and Simple, offer banking that's designed specifically for smartphones, enabling users to track their spending on the go. Some things ...

'SwaziLeaks' looks to shake up jet-setting monarchy

Aug 29, 2014

As WikiLeaks founder Julian Assange prepares to end a two-year forced stay at Ecuador's London embassy, he may take comfort in knowing he inspired resistance to secrecy in places as far away as Swaziland.

Ecuador heralds digital currency plans (Update)

Aug 29, 2014

Ecuador is planning to create what it calls the world's first digital currency issued by a central bank, which some analysts believe could be a first step toward abandoning the country's existing currency, ...

User comments : 1

Adjust slider to filter visible comments by rank

Display comments: newest first

frajo
not rated yet Feb 14, 2013
[1]
Such transgressions challenge national security and raise the questions of use of force considered by lawyers of international conflict

Saudi Arabia is a tyranny - anti-democratic, violator of human rights, with Shariah based laws, suppressor of the freedom fighters in Bahrain.
So who is to consider the "use of force" against whom?

[2]
struck by a computer virus that possibly spread across as many as 30,000 Windows-based personal computers
Congratulations. This was the first virus related PhysOrg article I read that did not omit the Windows aspect.