Qatari Gas Company Hit With Virus in Wave of Attacks on Energy Companies

A RasGas offshore platform near Qatar. Image: McDermott-Photos/Flickr

A RasGas platform off the shore of Qatar. Image: McDermott-Photos/Flickr

The Qatari natural gas company commonly known as RasGas has been hit with a virus that shut down its website and e-mail servers, according to news reports.

The malware, however, did not affect the company’s operational computers that control the production and delivery of gas, an official of the Ras Laffan Liquefied Natural Gas company told Bloomberg.

The attack reportedly began Aug. 27. The RasGas website was still unavailable on Thursday, three days after the attack.

Qatar is the world’s largest producer of liquified natural gas. RasGas, a joint operation of Qatar Petroleum and ExxonMobil, distributes about 36 million tons of the resource annually.

It’s unclear if the malware that struck RasGas is the same Shamoon malware that is believed to have been used in an attack earlier this month against Saudi Aramco.

Shamoon has a destructive payload that deletes files on computers that it infects, according to researchers at Israeli security firm Seculert, who have examined it.

Officials of Saudi Aramco, Saudi Arabia’s national oil company, acknowledged last weekend that about 30,000 of its computers were affected in that attack, but also claimed that production and distribution of oil were not affected. The attack reportedly replaced data on machines with images of a burning U.S. flag after destroying files.

A hacktivist group calling itself by the evocative name “Cutting Sword of Justice” claimed responsibility for the Saudi Aramco hack, in posts to Pastebin. The group said the hack was to avenge the “atrocities taking place in … Syria, Bahrain, Yemen, Lebanon [and] Egypt” and seemed to suggest that Shamoon was the malware used in the attack.

In describing the attack, the alleged hackers wrote, “[W]e penetrated a system of Aramco company by using the hacked systems in several countries and then sended [sic] a malicious virus to destroy thirty thousand computers networked in this company….

“This is a warning to the tyrants of this country and other countries that support such criminal disasters with injustice and oppression,” they went on to write. “We invite all anti-tyranny hacker groups all over the world to join this movement. We want them to support this movement by designing and performing such operations, if they are against tyranny and oppression.”

Yet another attack earlier this year against Iran’s national oil company involved a piece of malware dubbed “Wiper,” which systematically deleted data and system files from computers. Circumstantial evidence suggests that Wiper may have been created by the same nation states behind Stuxnet, DuQu and Flame. Israel and the U.S. are believed to be behind those cyberespionage toolkits and weapons.

Wiper, and its attack on the Iranian oil industry, is believed to have been the inspiration for the attackers who subsequently targeted Saudi Aramco and RasGas. The attackers behind the latter hits, however, are not believed to be affiliated with any nation state.