Date of report
- August 2012
Affiliations
- Believed to have been partially the work of Chrysene
In 2012, threat actors wiped data from approximately thirty-five thousand computers belonging to Saudi Aramco, one of the world’s largest oil companies. Malware called Shamoon stole passwords, wiped data, and prevented computers from rebooting. Hackers calling themselves the "Cutting Sword of Justice" claimed responsibility for the incident, asserting they were retaliating against the al-Saud regime for what the group called widespread crimes against humanity. U.S. intelligence sources have attributed the attack to Iran. Less than two weeks after the Aramco incident, the Qatari gas giant RasGas was also knocked offline by suspected state-sponsored attackers.
The Saudi Aramco incident signaled Iran’s growing cyber capabilities and Tehran’s willingness to use them to promote its interests, particularly in its battle of influence in the Middle East with Saudi Arabia. At the time, some countries had the capability to remotely destroy computer data, but there were few publicly known instances of a country using them, and Iran may have been responding to a previous attack against the Iranian Oil Ministry and the National Iranian Oil Company that used a malware called Wiper.
Suspected victims
- Saudia Arabia Aramco Company
Suspected state sponsor
- Iran (Islamic Republic of)
Type of incident
- Data destruction
Target category
- Private sector
Victim government reaction
- Yes
Policy response