Cyber Incident Victim: Saipem
Date:
Dec 2018
Location:
Saudi Arabia
Summary
An Italian oil and gas company suffered a cyberattack involving a Shamoon malware variant, which destroyed files on approximately 10% of its servers, primarily affecting operations in the Middle East, India, Scotland, and Italy. The disk-wiping malware compromised over 300 servers and 100 personal computers by overwriting critical system files and master boot records, rendering devices inoperable. The attack propagated rapidly across networks via the Windows SMB protocol. While the incident disrupted operations, the company confirmed no data loss due to existing backups, with restoration efforts underway using those backups. Though previous Shamoon attacks were linked to Iranian state-aligned groups, attribution for this incident remains unconfirmed.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 3 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On December 10, 2018, Italian oil and gas contractor Saipem suffered a cyberattack impacting servers across multiple geographic regions. The company confirmed the incident involved a variant of Shamoon malware, a destructive disk-wiping tool historically linked to high-impact attacks against energy sector targets. The malware compromised approximately 10% of Saipem’s infrastructure, specifically affecting over 300 servers and 100 personal computers out of an estimated 4,000 total machines. Primary impact occurred in Middle Eastern operations—including Saudi Arabia, the United Arab Emirates, and Kuwait—with additional disruptions reported in India, Scotland, and limited systems in Italy. Shamoon’s functionality overwrote critical files, including master boot records (MBRs), rendering infected systems inoperable and preventing normal startup processes. The malware propagated rapidly across networks by exploiting the Windows Server Message Block (SMB) protocol, a method consistent with earlier destructive attacks like WannaCry and NotPetya.
Saipem initiated restoration efforts using pre-existing backup infrastructures, confirming no permanent data loss despite the widespread file destruction. Recovery operations proceeded gradually, focusing on re-establishing full operational capacity across affected sites. Forensic analysis revealed a Shamoon sample uploaded to VirusTotal on December 10 from an Italian IP address, aligning with Saipem’s headquarters location, though the attacker’s identity remained unverified. Historical context indicated Shamoon’s use in prior attacks against Saudi Aramco—Saipem’s largest client—and other Middle Eastern targets, with cybersecurity researchers attributing earlier campaigns to Iranian-linked threat groups like OilRig. However, no conclusive evidence tied the 2018 Saipem incident to a specific actor or nation-state. The company maintained operations through contingency measures while restoring compromised systems from backups, emphasizing controlled remediation to minimize prolonged disruption to its global energy services.