UK-based oil and gas contractor Petrofac has confirmed an “information technology (IT) security breach”, which led the firm to shut down systems and servers.

The firm said the attack focused on its Middle East operation, though it also had some impact in Aberdeen, Scotland.

MEED reported on the alleged cyber attack targeting two unnamed oil and gas organisations in the region on 18 December.

When reached by MEED, Petrofac officials based in Sharjah, the company’s regional headquarters, declined to comment on the reported cyber attack.

Similar to Italian contractor Saipem, which confirmed on 12 December the occurrence of a cyber attack on its servers, Petrofac said the cyber attack did not result in any data loss or impact on project sites.

Last week, Saipem said it shut down its servers in Saudi Arabia, the UAE and Kuwait because of a targeted cyber attack against them. The cyber attack is understood to have originated in Chennai, India.

Saipem subsequently said that the cyber attack affected between 300 and 400 servers and over 100 personal computers.

Both Saipem and Petrofac are understood to have addressed the breach and undertaken steps to prevent future reoccurrence.

US-based Symantec said in a report on 18 December that a series of cyber attacks using a deadlier version of Shamoon malware (which wiped out thousands of disks at oil giant Saudi Aramco in 2012) targeted two oil and gas organisations in Saudi Arabia and the UAE, in addition to the Middle East servers of Italy’s Saipem.

The latest re-emergence of the virus, last detected in 2016, involves a new wiper, Trojan.Filerase, which deletes files from infected computers before the Shamoon malware wipes the master boot record.

“[Trojan.Filerase] will delete and overwrite files on the infected computer. Shamoon itself will meanwhile erase the master boot record of the computer, rendering it unusable,” Symantec said in a statement.

“While a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable. However, if the files are first wiped by the Filerase malware, recovery becomes impossible.”

According to Symantec, one of the new Shamoon victims, an organisation based in Saudi Arabia, was recently also attacked by another group Symantec calls Elfin (APT33), after being infected with the Stonedrill malware (Trojan.Stonedrill).

“There were additional attacks against this organisation in 2018 that may have been related to Elfin or could have been the work of yet another group,” Symantec said.

The firm added that the proximity of the Elfin and the Shamoon attacks against this organisation means it is possible the two incidents are linked.