Shamoon

Shamoon[a] (Persian: شمعون), also known as W32.DistTrack,[1] is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows.

[5][2][6] A group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 Saudi Aramco workstations, causing the company to spend more than a week restoring their services.

[15] The malware had a logic bomb which triggered the master boot record and data wiping payload at 11:08 am local time on Wednesday, August 15.

It would appear that the attack was timed to occur after most staff had gone on holiday reducing the chance of discovery before maximum damage could be caused, hampering recovery.

[16] The Wiper component utilizes an Eldos-produced driver known as RawDisk to achieve direct user-mode access to a hard drive without using Windows APIs.

[3] It was initiated by a phishing email attack that an unnamed Saudi Aramco Information Technology employee opened, giving the group entry into the company's network around mid-2012.

[20] We, behalf of an anti-oppression hacker group that have been fed up of crimes and atrocities taking place in various countries around the world, especially in the neighboring countries such as Syria, Bahrain, Yemen, Lebanon, Egypt and ..., and also of dual approach of the world community to these nations, want to hit the main supporters of these disasters by this action.

One of the main supporters of this disasters [sic] is Al-Saud corrupt regime that sponsors such oppressive measures by using Muslims oil resources.

Symantec found some of the affected systems showed an image of an American flag while their data was being deleted and overwritten.

However a Middle Eastern journalist leaked photographs taken on 1 September 2012 showing kilometers of petrol trucks unable to be loaded due to hacked business systems still inoperable.

"Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations.

On August 29, 2012 the same attackers behind Shamoon posted another pastie on PasteBin.com, taunting Saudi Aramco with proof they still retained access to the company network.

[22] The attackers also referenced a portion of the Shamoon malware as further proof in the pastie: "mon 29th aug, good day, SHN/AMOO/lib/pr/~/reversed We think it's funny and weird that there are no news coming out from Saudi Aramco regarding Saturday's night.

Pastie announcing attack against Saudi Aramco by a group called Cutting Sword of Justice
Tanker trucks unable to be loaded with gasoline due to Shamoon attacks