Shamoon virus returns in Saudi computer attacks after four-year hiatus

(Reuters) - Shamoon, the destructive computer virus that four years ago crippled tens of thousands of computers at Middle Eastern energy companies, was used two weeks ago to attack computers in Saudi Arabia, according to several U.S. cyber security firms.

CrowdStrike, FireEye Inc, Intel Corp’s McAfee security unit, Palo Alto Networks Inc and Symantec Corp warned of the attacks, though they did not name any victims. They did not say how much damage had been caused or identify the hackers using Shamoon, which cripples computers by wiping drives used to start machines.

Saudi Arabia said on Thursday that hackers had launched an attack on computers on government bodies and organizations in the transport sector in mid-November, heightening concern about security in the world’s largest oil exporter.

Victims included the General Authority of Civil Aviation, the Saudi agency that runs airports, where the attack disrupted work for several days, Bloomberg News reported, citing people familiar with the investigation.

The attack originated outside the country and was one of “several ongoing cyber attacks targeting government authorities,” the National Cyber Security Center, an arm of the Ministry of Interior, told state news agency SPA.

The statement did not give details of the identity of the attacker or the damage caused, beyond saying the virus aimed to disrupt servers and plant malicious software in computer systems.

The 2012 Shamoon attack on Saudi Aramco, the world’s largest oil company, was widely seen as a watershed event. At the time, U.S. Defense Secretary Leon Panetta said it was probably the most destructive cyber attack on a business. There have since only been a few major attacks with disk-wiping malware, including ones in 2014 on Sheldon Adelson’s Las Vegas Sands Corp and Sony Corp’s Hollywood studio.

In the initial Shamoon hacks, images of a burning U.S. flag were left on computers at Saudi Aramco and RasGas Co Ltd. A disturbing image of the body of 3-year-old drowned Syrian refugee Alan Kurdi was used in recent attacks.

The 2012 hackers were likely working on behalf of the Iranian government, said CrowdStrike Chief Technology Officer Dmitri Alperovitch. It is too early to say whether the same group was behind Shamoon 2, he said.

Tehran has been investing heavily in its cyber capabilities since 2010, when its nuclear program was hit by the Stuxnet computer virus, widely believed to have been launched by the United States and Israel.

The malware triggered the disk-wiping to begin at 8:45 p.m. local time on Nov. 17, according to the security firms.

The Saudi business week ends on Thursday, so it appears to have been timed to begin after staff left for the weekend to reduce the chance of discovery and allow maximum damage.

Reporting by Jim Finkle in Boston, Tom Finn in Doha and Jeremy Wagstaff in Singapore; Editing by Alison Williams and Leslie Adler