Huge natural gas producer knocked offline by malware attack

One of the world’s biggest producers of liquefied natural gas has been hit by a malware attack that has taken down its website and e-mail servers. This is the second documented computer attack to hit a large energy company this month.

Officials with Qatar-based RasGas first identified an “unknown virus” on Monday and took their RasGas.com website and e-mail servers offline in response, Bloomberg News and other news agencies reported on Thursday morning, citing company representatives. Operational systems weren’t affected and production and deliveries remain intact. A joint venture between Qatar Petroleum and ExxonMobil, RasGas exports about 36.3 million tons of liquefied natural gas per year.

News of the attack comes four days after Saudi Aramco, the world’s largest oil producer, confirmed it was the victim of a separate malware attack that took down 30,000 workstations. The assault against the Saudi Arabia-based company was launched on August 15 as the malware entered through its network of personal computers. Oil production wasn’t affected, company officials have said.

The attacks come as security researchers are tracking a malware campaign directed at unspecified companies in the energy industry. “Shamoon,” as the trojan has been dubbed, wreaks havoc on its victims by attempting to permanently wipe the hard drives of the computers it infects and prevents them from restarting. In a blog post, Symantec researchers said that the Shamoon malware, which also goes by the name “Disttrack,” struck at least one unnamed company in the energy industry.

A separate advisory by Israel-based Seculert said that Shamoon attacked “several specific companies in a few industries.” The Seculert post went on to say the wiping function was only one of two stages found in the malware. Company researchers speculate the disk erasure may have been put in place to remove traces of the other action, which may have been surveillance or data theft.

So far, there’s no confirmation that Shamoon is the same malware that struck either RasGas or Saudi Aramco.

“Usually, targeted attacks are being used against companies at the same vertical,” Seculert CTO Aviv Raff wrote in an e-mail to Ars. “So it is not surprising to see such an attack against another company in the oil and energy industry. I believe that if it’s indeed the same attack, they are probably using this to cover their tracks of the actual intended action against RasGas.”

He said a non-disclosure agreement bars him from naming the companies affected or identifying their industries.

Based on the information that is publicly available, the attacks on RasGas and Saudi Aramco appear to be major inconveniences rather than catastrophic events. Assuming that’s truly the case, the unsung heroes are the engineers who separated e-mail and Web servers from critical energy production and delivery systems. With confirmation of attacks against two of the world’s biggest energy producers, it’s worth investigating how and if all companies in this industry are designing their systems to withstand such campaigns.

arstechnica.com