Another Oil Producer – RasGas – Offline Following Virus Attack

Posted by: Paul Roberts   August 30, 2012 14:282 comments
RasGas Headquarters

Photo licensed under the Creative Commons.

There are reports out Thursday that another major oil producer, Qatari firm RasGas, has been knocked offline by a virus attack, according to a published report.

RasGas’s corporate web site was unreachable Thursday and e-mail sent to RasGas e-mail addresses bounced. The report comes by way of the web site arabianoilandgas.com, which quoted an unnamed RasGas spokesperson saying that “an unknown virus has affected” the company’s office systems since Monday, August 27.  The news comes  just days after the Saudi oil producer Saudi Aramco acknowledged that a widespread virus outbreak infected 30,000 systems on its internal network.

RasGas Company Ltd. (http://www.rasgas.com/) is based in Qatar and is the second largest producer of liquefied natural gas (LNG) in the world.

The report said that RasGas has notified its suppliers by fax that the company is “experiencing technical issues with its office computer systems,” ArabianOilandGas.com reported. However, a company spokesperson said that the company’s LNG production and distribution operations were unaffected.

RasGas is reportedly working with ICTQatar, that country’s Supreme Council of Information and Communication Technology. Calls and e-mails to ICTQatar were not immediately returned.

If the reports are accurate, RasGas would be just the latest major energy producing company to be targeted by a malware attack. On Sunday, Saudi Aramco, that country’s national oil company, said that it had restored service to more than 30,000 computers on its internal network that had been infected with a virus on August 15. That attack, which was attributed to a previously unknown hacking group called the Cutting Sword of Justice. It was in retaliation for what the group said was the Al-Saud regime’s support of “crimes and atrocities” in Syria, Bahrain, Yemen and other countries.

The malware used in that attack, Shamoon, was designed to partially destroy data on the hard drives of systems it infected. It is unclear whether the same malware was at use in the RasGas attack.

Stay tuned for more details on this attack from SecurityLedger…

 

  • Pingback: RasGas Still Working On ‘Mystery Virus’ Infection | The Security Ledger

  • Pingback: ataques digitais: petróleo, gás, mineração… e o que mais? | dia a dia, bit a bit

  • http://www.spikes.com Branden Spikes

    The fact emails bounced is an indication their attack may have been email-based, but it is troublesome to see the victims of cyber attacks to be so secretive about the methods behind the attacks.

    For a security professional, it would be incredibly useful to know whether these successful campaigns are getting behind firewalls by direct front-door attacks on servers, drive-by web malware attacks against browsers, or by email attachment. If a combination, what is the proportions?

    Victims of hacking attacks are, in my humble opinion, far too silent. Probably they are either:

    Not realizing the harm they’re doing by being so secretive about the details of the methods of the exploits.
    Caught unprepared by having insufficient backdoor detection and logging to know the root cause.

    If the victims would come out with the details, us security professionals could better understand where to bolster our preventative defenses.

    • http://www.securityledger.com ledgeditor

      Excellent comment, Branden. I agree. My assumption is generally that these attacks probably bypass the firewall altogether and come by way of mobile workers accessing corporate networks via VPN from compromised home systems or corporate laptops. Simple GOOG searches for @[domain name] will get you the addresses of plenty of employees via discussion lists, inadvertently public internal docs. Couple those addresses with a reasonably sophisticated spear phishing e-mails + relatively recent exploits for Java, Adobe, etc. via drive by download, malicious attachment, etc. and you own the system. Then just wait for them to VPN in and you’re there. Of course, SQL injection could be used, by my guess is that companies that can afford IT security expertise have probably thought to isolate those systems pretty well from the rest of their network.

      Agreed that more sunshine would benefit the community more than it would hurt the victim. That’s where, in my mind, strong Federal breach disclosure plays a part. But that gets hard when the company in question is based in a foreign country where transparency isn’t a..umm…priority, right?

      Thanks for your comments!

Security Ledger Uses:

%d bloggers like this: