Impact of Cyber Attack on Saudi Aramco

,

to recover data from the damage because of its vast resources. Viruses usually target the networks of MNCs but that level of critical damage is so alarming against a company for the international energy markets. It led to a huge blow to the largest oil producer in the world. The random deletion of data from the hard drives of the computer was alleged to be the main function of Shamoon. This didn't cause an explosion, oil spill, or any major destruction in operations of Aramco but it adversely affected business operations and there are chances of loss of some production data and drilling [3]. The virus also spread to other oil and gas networks, including the ones of RasGas [4]. The incident happened after years of alarms about the risk of those attacks targeting major infrastructure. Washington and Riyadh have always been focused on protecting operations of the oil and gas industry in Saudi Arabia from physical damages over a decade. Even a small disruption of manufacturing units in Eastern Province or any such area would affect oil prices and supplies immediately, followed by knock-on impact for the international economy [5]. After a failed terror attack on the petroleum processing unit in February 2006 at Abqaiq, there have been rising concerns over security at the facilities in Aramco. Though there was no physical damage to the production units of Aramco, Shamoon caused damage to risk assessment of important infrastructure across the world. The impact of the incident was so huge that Leon Panetta, the US Secretary of Defense, described it as a "very sophisticated" virus which caused a huge concern. He commented that only a few countries are capable of handling the impact [2]. The virus attacked the Aramco network and damaged over 30,000 hard drives, keeping them from operating. There was no evidence found about the attempts by the attackers for stealing important data. They haven't disrupted other network devices and did not affect the production of oil and gas. An anonymous group of hackers took responsibility, citing some political explanations [6]. The corporate network of Aramco was disconnected from the web and one or more web servers were shut down to deal with the incident. Despite having a great destruction from this attack, the hackers couldn't stop their production. Aramco supplies around 1/10th of the world's oil. The attack could not disrupt the supply line but it was among the most troublesome cyber attacks conducted against its business operations. The attackers used the Shamoon virus which infected almost all the workstations, causing the organization to halt its internal networks for around a month [7]. Saudi Arabia heavily relies on its oil production for its economy. These types of attacks are widely known as "Advanced Persistent Threats (APT)" and they affect the workstations most of the time. The attackers looked for hashes of the passwords of admin accounts and they had "passed the hash" to access greater machines and found greater admin power accounting for hashes of the password. Higher domain levels were accessed by the APT attacks and they accessed the server admin accounts with this method. If they found and passed the hash for hacking, one thing worth noting is that they could not access the Aramco systems. There are also chances that there was effective and better control in the Saudi Aramco, which prevented a more severe level of attack [2]. The Saudi Aramco is the world's leading oil producer and the organization added that it halted the connections of its electronic systems to the outer world to avoid further cyber attacks [8]. The exploration and production of oil was being done separately and they were not affected. The organization assured that the virus cannot affect the partners, customers, and stakeholders and the operations would be functioning well. In addition, Aramco websites were offline and down. Emails sent to the employers were bounced back [6]. This virus came from other sources and attackers would keep doing such attempts. The IT experts had already warned that cyber attacks on the oil and gas industry could disrupt energy supplies, whether they were the attempt of militant groups, hostile governments, or private hackers. The global sanctions by Iran were the main target of the oil industry and it affected the nuclear program. A lot of cyber attacks affected the organization over the past years. A virus had affected the networks of national oil exporters and the ministry of Iranian oil had led Iran to disconnect its oil control systems for the Kharg Island and other oil facilities. Most of the crude oil was exported from Kharg Island. Iran has some points of attacks on Israel, Britain, and the US. According to the existing and former officials of the US, they have introduced a complex virus to keep Tehran from making nuclear weapons [10].  [11] presented a case study on Saudi Aramco, the largest oil organization in the world. A severe cyber attack paralyzed the whole operation of the company for several months in 2012. They analyzed the response of the company to that attack along with existing policies to deal with such kinds of attacks. Saudi government, Saudi Aramco's key stakeholder itself, has reacted and responded to this attack. The researchers studied how this response has helped in existing standards for cyber security.
Cyber criminals have primarily targeted the Kingdom of Saudi Arabia (KSA) by causing cyber conflicts due to digital transformation, economic activity, high technology adoption and growth of the oil and gas sector. But there is still a lack of investigation and research on cyber attacks in Saudi Arabia. Due to this reason, [12] conducted a case study on malware attacks on Saudi organizations. They particularly focused on Ransomware and Shamoon and presented the timeline of those attacks, apart from their structures and measures to prevent those attacks.
To be specific, nations have become highly vulnerable which are developed and improving their infrastructure. They rely on their computer networks and technology. [13] briefly discussed and explained some cases of cyber attacks in the United Arab Emirates (UAE), the Kingdom of Saudi Arabia (KSA), and other Muslim countries, the common threats, and possible suggestions for the governments.

Research Gap
Cyber attacks are not only harmful to business operations, computer networks, productivity and profitability of an organization, but they are also harmful to the economy of the country, especially when the target is a large organization like Saudi Aramco. It has again been targeted by cyber criminals with ransomware, followed by a 2012 attack using a computer virus named "Shamoon." In order to understand modus operandi behind those attacks and find security measures to prevent those attacks, this study fills the gap.

Research Question
• Why Saudi Arabia is the biggest target of cyber criminals?
• How Shamoon and Ransomware broke into the systems of Saudi Aramco?
• What are the best security practices and recommendations to prevent those attacks?

Importance of the Study
Being one of the richest countries and major oil exporters in the world, Saudi Arabia has always been on the radar of cyber attackers. It is also observed that the oil and gas industry has not put much emphasis on cyber security. Hence, this study is important to help researchers and policymakers to understand the importance of cyber security and implement some security measures to prevent those attacks in future.

Research Objectives
• To analyze the increasing cyber attacks on Saudi Arabia Shamoon was the most popular cyber attack on Saudi Aramco. But there are also other attacks that are worth discussing. The recent Ransomware attack has also cost billions to the companies. Cyber attacks on Saudi Aramco are one of the interesting cases to study because it is the most popular cyber security incident in Saudi Arabia. For this study, we used secondary data from relevant sources.

Research Approach
We used a comprehensive exploratory study to understand how Ransomware and Shamoon work and the preventive measures to avoid those attacks to answer the research questions. We also attempted to know the narrative of the event as well as the nature of cybersecurity policies adopted by Aramco. We used several text sources that are available to the public for this study, such as posts by authorized sources, news articles by famous media houses, and press releases by Saudi Arabia government and Aramco, along with the newspaper articles and blogs discussing the attack.

Data Analysis
With the rise in the number of digital devices, computer and network attacks have been very pervasive in this day and age. Any connected device in this era is at risk of worms, viruses, or malware attacks. These attacks don't spare business users, home users, companies, or the whole nation's security. According to Barack Obama, cyber security is important for the country's economy. So, it is very important to deal with network and cyber attacks as it has been a major concern [15]. A security threat is the common cause of disasters which damage the networks or systems. Several attacks and threats target wireless networks and malware attacks wreck havoc to those networks due to their basic loopholes [16], such as dynamism in topology because of non-reliable communication and mobility issues, and limited energy. A worm, Morris, cost $10 to $100 million by damaging 60,000 connected workstations in 1988. Another worm, Blaster, attacked 400,000 workstations within 5 years. In 2011, Windows 2000, 9x, Vista, Xp, and Windows 7 computers were affected by AntiSpyware. Malware attacks imposed the damages of billions of dollars due to rapid advances and consumer demands for wireless networks.

Why Saudi Arabia is the biggest target of cyber criminals?
A range of cyber attacks has been reported in Saudi Arabia over the recent years because of rapid changes in political positions and economic conditions. Shamoon, a computer virus which came from Iran, attacked Saudi Arabia, according to the US Secretary of Defense [2]. Hence, it is important to start from the very beginning to know the major cause of cyber attacks on Saudi Arabia. It all started in the Middle East when Stuxnet attacked a nuclear facility in Iran in 2009. Stuxnet attack was a wakeup call as countries across the world realized the vulnerability of their important infrastructure to cyber attacks and their consequences could be disastrous [17]. A malware, Duqu was spying on several targets in Sudan and Iran that could lead to cyber attacks in future in [18]. In 2012, another malware, Flame, attacked the national oil company and oil ministry in Iran, which was designed like Stuxnet. Next one was the most popular, Shamoon which attacked Saudi Aramco, the world's leading oil producer in Saudi Arabia in 2012 and wiped out information from over 30,000 client computers. This malware also attacked the second largest Liquid Natural Gas producer based in Qatar, RasGas. The developer behind those malwares was the same [19]. Best security practices and recommendations to prevent those attacks Considering the above statistics, here are some of the recommendations and suggestions to improve security -• In case a threat has been discovered and it has exploited multiple network services, organizations should block and disable access to the immediate effect until they roll out a security patch. The patch should be up-to-date, especially on workstations which provide public services and can be accessed through firewall, including FTP, HTTP, DNS and mail services. • Firewall should be used widely for preventing all incoming traffic from outer sources to private services.
All incoming connections should be blocked by default and only those services are allowed that should be available in public. • A strict password policy is a must. Administrators should keep hard-to-guess and strong passwords. They should provide the minimum privileges to the users and programs for finishing the assigned task. It is important to ensure that an authorized application is asking for admin-level access, before giving a UAC or root password. • Email servers should be set to remove or block emails that have attachments which can be malicious. Those types of attachments may have files with extensions like .bat, .exe, .vbs, .scr, and .pif. Compromised computers should be kept separate immediately to keep threats from passing to the next computer. A forensic analysis must be performed to recover the systems. • Staff must be warned about those suspicious emails and attachments and they should be instructed to open only authorized emails. In addition, they should scan the software for viruses, which is downloaded externally. Only important services for the host or server should be running and all unused ports must be disabled or blocked without proper patches. • Passwords must be changed every 30 to 60 days and staff must use the combination of two special characters, two lowercase letters, and uppercase letters, making it to minimum 14 characters. In addition, they should strictly avoid dictionary passwords or common passwords like their name, date of birth, etc. • Administrative access should be given only to those who need the same. Account permissions must be assigned to the minimum level and upgraded when needed. Antivirus must be set to scan and block emails with suspicious attachments from external sources. • In case there is a breach, a robust IT response team must be ready with all the tools and procedures, such as separation of infected assets from the network for forensics tests and containment. • Scans and vulnerability checks must be done on a regular basis. It helps detect any vulnerability in systems that is worth considering and that needs patches according to the latest procedures in the IT department.

Conclusion
Cybersecurity is the new edge of security in the 21st century. Developed nations are looking to make the most of loopholes of cyber security to have influence and supremacy against their rival countries. Hence, malicious software or malware has been the primary threat to cyber security over the past decade. Several cases of security attacks and breaches have been reported across the world and high level cyber attacks have been reported that affected national security.
Hacking groups have attacked several organizations like Stuxnet, LuzSec, and others with different levels of risks. These anonymous groups emerged over the years and targeted highly reputed and profiled businesses and organizations. Some attacks were conducted easily and exposed the weaker networks to deal with cyber crimes and some breaches cost heavily to the organizations.