The attack on Saudi Aramco was detailed by security company FireEye which kept the name under wraps.
But the website Foreign Policy said it had obtained a confidential report authored by Area 1 Security, a company set up by NSA veterans, that identified Aramco as the target. The attack took place in August.
The attack was denied by Saudi Aramco, which, in a statement to Foreign Policy, said: "Saudi Aramco corporate and plants networks were not part of any cyber security attack or breach.”
The Area 1 report said Iran was behind the attack but other experts told Foreign Policy that caution should be exercised in apportioning blame. One ex-intelligence official from the US who has knowledge of the attack said: “This is probably one of the most difficult attribution cases that I’ve ever looked at.”
The malware was dubbed as Triton. The FireEye report said it attacked a safety system known as Triconex which is made by Germany's Schneider Electric. The system is used globally and provides emergency shutdown.
FireEye said Triton tried to alter one safety controller and this led to an unspecified industrial process shutting down. Aramco personnel noticed this and a subsequent investigation led to the discovery of the malware.
The Area 1 report speculated that Triton could have been written jointly by Russia and Iran; an artifact in the software had a Russian name. But while the report said Russian involvement was possible, it also pointed out that such an artifact could be a false flag.
Photo: courtesy Saudi Aramco