The Significance of the Aramco Hack
Lots of press on the Aramco virus and DDoS attack. But there are two key points that should be emphasized about the breach:
- This is the first significant use of malware in a hacktivist attack. In the past, as we described in our February report, most hacktivist attacks were primarily application or DDoS attacks.
- Antivirus doesn't work. Hackers claim to have infected 30K PCs, which, if true, represents a 75% infection rate of all the company's computers. Ouch. Evidence continues to pile up for the need for a new security model.
However, one should not miss the key evolutionary step this attack represents. In the last couple of years, it became very popular to single out the Chinese, US and Israeli governments for cyber-warfare.
However, this is why the Aramco attack is so interesting. Why? In this case, it wasn’t a government, it wasn’t an agency nor a company. This time it was hacktivists working for a political and social cause. In other words, a group of hobbyists and hacktivists with several very strong minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish. Does this mean that the power of the hacktivism has become so strong that it can compete with government cyber warfare organizations?
There are 2 parties that will lose from Saudi stopping to produce oil, The west, and the Saudis.
Those that will benefit are all other OPEC countries (as they will sell more oil), as well as all those who want to see the western civilization being brought down.
So if it is state sponsored, it will be one of their local neighbors. Not Israel/USA/Europe.
The security model needed for today is different from what was built for yesterday. This being the case, security professionals should look for a better model to address tomorrow's needs.
The 30K computers which were infected might have the antivirus without having the virus definitions not being updated. The gap between the virus infection and vulnerability identification is something to be looked into before ruling out the AV completely.
Jeff: You make a good point. As I said in a February NYT article, "Hacktivism gives anyone any excuse to hack anyone at anytime." This includes government, private hackers and politically motivated actors. Its a very convenient proxy. However, this was the first significant attack involving malware. To your point, this could indicate something state sponsored, but is very hard to tell.
Thanks for the contribution.
Rob, it's impossible to distinguish between a hacker and hacktivist because they could easily be the same person. It's not like they're different species. Further there are good reasons to believe that this was a state-sponsored attack and there are reports coming out of Saudi Arabia to support that.