One or more insiders with high-level access are suspected of assisting the hackers who damaged some 30,000 computers at Saudi Arabia's national oil company last month, sources familiar with the company's investigation say.
The attack using a computer virus known as Shamoon against Saudi Aramco - the world's biggest oil company - is one of the most destructive cyber strikes conducted against a single business.
Shamoon spread through the company's network and wiped computers' hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations.
The hackers' apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country where open dissent is banned.
"It was someone who had inside knowledge and inside privileges within the company," said a source familiar with the ongoing forensic examination.
Hackers from a group called "The Cutting Sword of Justice" claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco's computers, and have threatened to release secrets. No documents have so far been published.
Reports of similar attacks on other oil and gas firms in the Middle East, including in neighboring Qatar, suggest there may be similar activity elsewhere in the region, although the attacks have not been linked.
Saudi Aramco declined to comment. "Saudi Aramco doesn't comment on rumors and conjectures amidst an ongoing probe," it said.
The hacking group that claimed responsibility for the attack described its motives as political.
In a posting on an online bulletin board the day the files were wiped, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for "crimes and atrocities" in several countries, including Syria and Bahrain.
The Saudi interior ministry did not respond to requests for comment. The foreign ministry was not available for comment.
Saudi Arabia sent troops into Bahrain last year to back the Gulf state's rulers, fellow Sunni Muslims, against Shi'ite-led protesters. Riyadh is also sympathetic to mainly Sunni rebels in Syria.
Saudi Arabia's economy is heavily dependent on oil. Oil export revenues have accounted for 80-90 percent of total Saudi revenues and above 40 percent of the country's gross domestic product, according to U.S. data.
Saudi Aramco, which supplies about a tenth of the world's oil, has hired at least six firms with expertise in hacking attacks, bringing in dozens of outside experts to investigate the attack and repair computers, the sources say.
According to analysis of Shamoon by computer security firm Symantec, the way the virus gets into networks may vary, but once inside it tries to infect every computer in the local area network before erasing files to render PCs useless.
"We don't normally see threats that are so destructive," Liam O Murchu, who helped lead Symantec's research into the virus, said. "It's probably been 10 years since we saw something so destructive."
The state-run oil company - whose 260 billion barrels of crude oil alone would value it at over 8 trillion dollars, or 14 times the market value of Apple Inc. - was well protected against break-in attempts over the Internet, according to people familiar with its network operations.
Yet those sources say such protections could not prevent an attack by an insider with high-level access.
It is unusual for insiders to be fingered in cyber attacks. Verizon Business, which publishes the most comprehensive annual survey of data breaches, said that insiders were implicated in just 4 percent of cases last year.
The hackers behind the Shamoon attack siphoned off data from a relatively small number of computers, delivering it to a remote server, the sources said. They later threatened to release that information.
Because the virus wiped the hard drives, it is difficult for Saudi Aramco to determine exactly what information the hackers obtained.
An email address and password, which the poster claimed belonged to Aramco CEO Khalid Al-Falih, was posted on a website often used by hackers to show off their achievements, this time signed by the "Angry Internet Lovers". No sensitive Aramco files have been uploaded on that site.
Sources who spoke to Reuters said they were not aware whether the hackers had made specific demands, what they might have been or whether they were met.
The sources would not say whether the suspected mole or moles are Saudi Aramco employees or outside contractors, or whether they accessed a workstation inside Saudi Aramco's offices or accessed the network remotely.
The Saudi interior ministry was unavailable to comment on whether anyone has been arrested as part of the investigation.
VIRUS TARGETS PCS
The Shamoon virus is designed to attack ordinary business computers. It does not belong to the category of sophisticated cyber warfare tools - like the Stuxnet virus that attacked Iran's nuclear program in 2010 - which target industrial control systems and can paralyze critical infrastructure.
"Based on initial reporting and analysis of the malware, no evidence exists that Shamoon specifically targets industrial control systems components or U.S. government agencies," the Department of Homeland Security's United States Computer Emergency Readiness Team said in an August 29 advisory.
Saudi Aramco has said that only office PCs running Microsoft Windows were damaged. Its oil exploration, production, export, sales and database systems all remained intact as they ran on isolated and heavily protected systems.
"All our core operations continued smoothly," CEO Khalid Al-Falih told Saudi government and business officials at a security workshop on Wednesday.
"Not a single drop of oil was lost. No critical service or business transaction was directly impacted by the virus."
It is standard industry practice to shield plant operating networks from hackers by running them on separate operating systems that are protected from the Internet.
Qatar's natural gas firm Rasgas was also hit by a cyber attack last week, although it has not said how much damage was caused or whether Shamoon was the virus involved. Qatar, also a Sunni Gulf kingdom, has similar foes to Saudi Arabia.
Its parent firm Qatar Petroleum, which also owns Qatar's other main natural gas firm Qatargas, said it was unaffected but implied that other companies had been hit.
"Qatar Petroleum has not been affected by the computer virus that hit several oil and gas firms. All QP operations are continuing as normal," it said in an official tweet on Monday.
(Additional reporting by Daniel Fineren and Humeyra Pamuk in Dubai; Editing by Peter Graff and Janet McBride)