Viruses that badly affected computer systems at two major oil and gas companies in the Persian Gulf appear to be deliberate attempts at sabotage, but preliminary analysis of the code doesn't point to a state-sponsored attack, said Moscow cyber security firm Kaspersky Lab.
Both state-owned Saudi Aramco, the world's biggest oil producer, and Qatar gas exporter Ras Laffan Liquefied Natural Gas Co., known as RasGas, were hit last month by a virus believed to be called Shamoon. The companies said their core operations weren't affected.
"The Shamoon malware is not at a level where nation-state involvement is the only plausible scenario," Kaspersky senior researcher Roel Schouwenberg said.
"There are some beginner-level bugs in the code which we wouldn't typically associate with an elite-level team of state-sponsored programmers."
According to an analysis by cyber security firm Symantec Corp., Shamoon is a destructive malware that corrupts files on a compromised computer and overwrites key operational systems in an effort to render a computer unusable.
Saudi Aramco, which has a total staff of about 56,066, saw 30,000 of its workstations affected by the cyber attack. It was forced to isolate all its electronic systems from outside access until it restored them and restricted its remote Internet access.
"This is clearly an act of sabotage," Mr. Schouwenberg said. "We live in an era where cyber espionage is rampant. Sabotage isn't necessarily too far removed from that."
Aramco hasn't named the bug, but the time stamp in the Shamoon malware was the same time listed in the statement on online hacking forum Pastebin about the attack, said Alex Gostev, Kaspersky's chief security expert.
RasGas said it has shut down part of its computer system since Monday but didn't give further details on the scale of computers affected by the bug.
A person familiar with the matter told Dow Jones Newswires last week that RasGas had been hit by the virus called Shamoon. The two firms had nothing to say about the source of the attack.
A post on Pastebin claimed that a collective called the "Cutting Sword of Justice" was responsible for the Aramco attack and that Saudi Arabia had been targeted because of its supposed involvement in "crimes and atrocities taking place in various countries around the world, especially in the neighbouring countries such as Syria, Bahrain, Yemen."
Kaspersky Lab's analysts said it wasn't possible to identify the source or motivation of the attacks or if they could be related.
If they were the start of a new wave of so-called hacktivism, "that would be an extremely worrisome development," Mr. Schouwenberg said.
It would indicate that such groups had moved from fairly commonplace distributed denial of service attacks, in which hackers bring down websites by overwhelming them with requests for page views, to more advanced methods involving breaching and publishing databases, to damaging sabotage, he said.
Despite Aramco's assurance that its precautionary procedures and multiple redundant systems left the company's production unharmed, it was difficult to assess if the firm's claims are credible.
"In theory, corporate networks and industrial control networks are supposed to be air gapped (physically separated), making it impossible for them to interact with one another. But in practice, most air gaps are lacking in implementation, so communications between the two networks are possible," Mr. Schouwenberg said.
"Overall, we see many large companies that are not well-equipped to deal with network worms... We often see productivity chosen over security, but in this case, we're referring to a critical infrastructure company, so it should be held to a higher standard," he said.
"The critical question is if the malware managed to get into the industrial control network," he said.
The most-famous example of a virus that did infiltrate an industrial control network is Stuxnet, which damaged centrifuges Iranian uranium enrichment facilities in 2010.
Banque Saudi Fransi, the lender part-owned by France's Credit Agricole SA, last week was the victim of Stuxnet cyber weapon that affected the company's shared computer disc drives but left its operations unharmed, a person familiar with the matter said.
A spokesman for Banque Saudi Fransi declined to comment when contacted by Dow Jones Newswires.
Both Aramco and RasGas said their oil and gas operations weren't affected by last month's attacks.
Kaspersky Lab's recent survey of more than 3,300 experts indicates that cyber threats are likely to be the number one risk to business within the next two years.
Meanwhile, some firms in the Gulf have taken extra ant hacking measures in the wake of the recent attacks.
"This is a wakeup call for everyone. Here in Saudi Arabia, for instance, most large firms have asked their staff to be extra careful before opening any emails and to report any suspicious correspondence," a Saudi executive said.