DUBAI, Aug 26 (Reuters) - State oil producer Saudi Aramco is still repairing damage from a virus which infected thousands of employee computers in mid-August but the control systems and oilfield data are unaffected, sources familiar with the matter said.
Eleven days after the Aug. 15 cyber attack, the company was still trying to establish the identity of the attackers, what data had been lost, and whether affected computers could be restored, the sources said.
One of Saudi Aramco's websites, www.aramco.com, which was taken offline soon after the attack, remained down on Sunday. Emails sent by Reuters to people within the company bounced back.
"Our computer systems were hacked, and this virus appears to be coming from outside and not from someone inside Aramco, but an investigation to find out what happened is still ongoing," one Saudi source said.
"Only personal computers were affected and until now some of these computers aren't working...This does not include any sensitive information related to production and no damage was done to any of the systems controlling production."
Contacted by Reuters on Sunday, a spokesman for Saudi Aramco, the world's largest oil producer, declined to comment. Immediately after the attack, the company announced it had isolated its electronic systems from the outside world to prevent further attacks.
Information technology experts have warned that cyber attacks on countries' energy infrastructure, whether conducted by hostile governments, militant groups or private "hacktivists" making political points, could disrupt energy supplies.
Iran, the target of international economic sanctions on focused on its oil industry over its disputed nuclear programme, has been hit by several cyber attacks in the last few years.
In April, a virus targeted Iranian oil ministry and national oil company networks, forcing Iran to disconnect the control systems of oil facilities including Kharg Island, which handles most of the country's crude exports.
Iran has attributed some of the attacks to the United States, Israel and Britain; current and former U.S. officials told Reuters this year that the United States built the complex Stuxnet computer worm to try to prevent Tehran from completing suspected nuclear weapons work.
Energy assets in front line of cyber war
Cyber attack hits Iran oil industry
Cyber attacks could wreck world oil supply
Virus shuts down Saudi Aramco PC network
An English-language posting on an online bulletin board on Aug. 15, signed by a group called the "Cutting Sword of Justice", claimed the group had launched the attack to destroy 30,000 computers at Saudi Aramco.
It said the company was the main source of income for the Saudi government, which it blamed for "crimes and atrocities" in several countries including Syria and Bahrain. Saudi Arabia sent troops into Bahrain last year to back the tiny state's Sunni Muslim rulers against Shi'ite-led protesters and Riyadh is supporting Sunni rebels against the Syrian regime of President Bashar al-Assad.
Before this month's attack, the Cutting Sword of Justice was not widely known, and information technology experts contacted by Reuters had no information on the group.
In a blog posting last week, Rob Rachwald, director of security for U.S.-based data security firm Imperva, said that if the Saudi Aramco attack was carried out by hacktivists it could be a milestone in computer hacking.
"A group of hobbyists and hacktivists with several very strong minded developers and hackers achieved results similar to what we have allegedly seen governments accomplish," Rachwald wrote.
Symantec, one of the world's largest internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus that was targeting at least one organisation in the global energy sector, although it did not name that organisation.
"It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," Symantec said in a blog posting about the virus, which it called W32.Disttrack.
"Threats with such destructive payloads are unusual and are not typical of targeted attacks."