Saudi Arabia’s aviation agency was attacked last month by an aggressive computer virus intended to disrupt high-profile government targets, officials and experts said on Thursday.
The attack, which experts say emanated from outside the country, used a version of Shamoon, malware used to target the Saudi energy sector four years ago. Similar kinds of data-clearing software were used in 2014 against the Las Vegas Sands and Sony.
The Saudi government confirmed the latest breaches on Thursday, after several cybersecurity firms noted them. Bloomberg News reported that thousands of computers were damaged at the headquarters of the General Authority of Civil Aviation starting in mid-November, “erasing critical data and bringing operations there to a halt for several days,” although operations at Saudi airports did not appear to be affected.
The state-run Saudi Press Agency, citing a government statement, reported on Thursday that the national cybersecurity department had detected what officials called a systemic attack on crucial government agencies, including in the transportation sector. The attacks were aimed at halting operations, stealing data and planting viruses, the news agency reported.
Saudi Press reported that officials had alerted the government to the attacks last month and had sent vulnerable agencies tips on defending their computers — suggesting that officials had failed to heed the messages.
The statement acknowledged that the attacks were staged from outside Saudi Arabia, but it did not specify the targets nor say when the breaches began.
If Saudi officials were fazed, they did not show it on Thursday.
“What attack?” Mohsen al-Shahrani, a communications officer for the general security department at the Interior Ministry, said when asked about the assault. “I have not heard anything about this.”
Bloomberg, citing anonymous sources, reported that state-sponsored hackers were believed to be responsible for the breaches and suggested that they might have emanated from Iran.
Iran and Saudi Arabia have been in a tit-for-tat cyberwar for more than four years. In April 2012, Iranian engineers working at the Kharg oil terminal, a speck in the Persian Gulf from which a large portion of Iran’s oil is exported, noticed that their computers had stopped working. The same happened at the Oil Ministry’s headquarters in Tehran, the capital, according to local news accounts.
A computer virus known as a wiper had been interfering with the ministry’s internal network, removing files from hard drives and taking over computers. Alarmed, experts decided to shut down all internet connections. Insiders suspected Saudi hackers of carrying out the attacks, though there was no evidence.
Four months later, the Saudis were targeted. Saudi Aramco, the largest company in the kingdom, was hit by a virus that erased data on three-quarters of the company’s computers — documents, spreadsheets, emails and files — replacing everything with an image of a burning American flag. American intelligence officials said the real perpetrator was Iran, although they offered no evidence.
Since then, there have been numerous cyberattacks in both countries. In May, Brig. Gen. Gholamreza Jalali, who leads the Civil Defense Organization in Tehran, said he saw Saudi Arabia as the chief threat to Iran. The website of Iran’s statistics organization has been hacked, as well as the site of the postal service.
Dmitri Alperovitch, the co-founder and chief technology officer of the security firm CrowdStrike, wrote in a blog post on Thursday that the malware was a variant of Shamoon, which was used in the Aramco attack.
Mr. Alperovitch said the motives for the most recent attacks were not clear. He noted, however, that Iran had targeted Saudi Arabia with cyberattacks before, that the two countries have been locked in a sectarian competition for regional dominance for years, and that they are backing opposing sides of the wars in Syria and Yemen.
Iranian intelligence agents used Shamoon in 2012 in retaliation for international sanctions, Mr. Alperovitch said, adding that the latest attacks came just before a meeting in Vienna of the Organization of the Petroleum Exporting Countries, which agreed on Wednesday to cut oil production for the first time in eight years, prompting an immediate rise in oil prices.
Another security firm, Symantec, reported that the breaches had been timed for the evening of Nov. 17, the end of the workweek, which in much of the Muslim world runs from Sunday to Thursday.
“The attackers appear to have done a significant amount of preparatory work,” Symantec reported. “The malware was configured with passwords that appear to have been stolen from the targeted organizations and were likely used to allow the threat to spread across a targeted organization’s network. How the attackers obtained the stolen credentials is unknown.”
Symantec added, “It would appear that the attack was timed to occur after most staff had gone home for the weekend in the hope of reducing the chance of discovery before maximum damage could be caused.”
Another security company, Palo Alto Networks, reported that Shamoon breaches used malware known as Disttrack, “a multipurpose tool that exhibits wormlike behavior by attempting to spread to other systems on a local network using stolen administrator credentials.” At least 30,000 computer systems were damaged in the 2012 attacks, Palo Alto Networks reported.
