(Adds that victims include General Authority of Civil Aviation)
By Jim Finkle, Tom Finn and Jeremy Wagstaff
Dec 1 Shamoon, the destructive computer virus
that four years ago crippled tens of thousands of computers at
Middle Eastern energy companies, was used two weeks ago to
attack computers in Saudi Arabia, according to several U.S.
cyber security firms.
CrowdStrike, FireEye Inc, Intel Corp's
McAfee security unit, Palo Alto Networks Inc and
Symantec Corp warned of the attacks, though they did
not name any victims. They did not say how much damage had been
caused or identify the hackers using Shamoon, which cripples
computers by wiping drives used to start machines.
Saudi Arabia said on Thursday that hackers had launched an
attack on computers on government bodies and organizations in
the transport sector in mid-November, heightening concern about
security in the world's largest oil exporter.
Victims included the General Authority of Civil Aviation,
the Saudi agency that runs airports, where the attack disrupted
work for several days, Bloomberg News reported, citing people
familiar with the investigation.
The attack originated outside the country and was one of
"several ongoing cyber attacks targeting government
authorities," the National Cyber Security Center, an arm of the
Ministry of Interior, told state news agency SPA.
The statement did not give details of the identity of the
attacker or the damage caused, beyond saying the virus aimed to
disrupt servers and plant malicious software in computer
systems.
The 2012 Shamoon attack on Saudi Aramco, the world's largest
oil company, was widely seen as a watershed event. At the time,
U.S. Defense Secretary Leon Panetta said it was probably the
most destructive cyber attack on a business. There have since
only been a few major attacks with disk-wiping malware,
including ones in 2014 on Sheldon Adelson's Las Vegas Sands Corp
and Sony Corp's Hollywood studio.
In the initial Shamoon hacks, images of a burning U.S. flag
were left on computers at Saudi Aramco and RasGas Co Ltd. A
disturbing image of the body of 3-year-old drowned Syrian
refugee Alan Kurdi was used in recent attacks.
The 2012 hackers were likely working on behalf of the
Iranian government, said CrowdStrike Chief Technology Officer
Dmitri Alperovitch. It is too early to say whether the same
group was behind Shamoon 2, he said.
Tehran has been investing heavily in its cyber capabilities
since 2010, when its nuclear program was hit by the Stuxnet
computer virus, widely believed to have been launched by the
United States and Israel.
The malware triggered the disk-wiping to begin at 8:45 p.m.
local time on Nov. 17, according to the security firms.
The Saudi business week ends on Thursday, so it appears to
have been timed to begin after staff left for the weekend to
reduce the chance of discovery and allow maximum damage.
(Reporting by Jim Finkle in Boston, Tom Finn in Doha and Jeremy
Wagstaff in Singapore; Editing by Alison Williams and Leslie
Adler)