Hackers destroyed computers at six important Saudi organizations two weeks ago, marking a reappearance of the most damaging cyberweapon the world has ever seen.
Last time, it was used to destroy 35,000 computers at the oil company Saudi Aramco. U.S. intelligence quietly blamed Iran for that attack.
This time around, the cyberweapon has attacked at least one Saudi government agency, as well as organizations in the energy, manufacturing and transportation sectors, according to two researchers with direct knowledge of the investigations into the attack.
Security researchers are now headed to Saudi Arabia to investigate how hackers wiped clean computers en masse, according to several experts involved.
Saudi Arabia's state news agency confirmed Wednesday a cyberattack occurred "on various government institutions and agencies."
"The attacks aimed at disabling all equipment and services that were being provided. The attackers were stealing data from the system and were planting viruses," the Saudi news agency SPA said.
The hackers targeted the Saudi aviation regulator, the General Authority of Civil Aviation, according to Patrick Wardle, a researcher with cybersecurity firm Synack. The malware code shows that it targeted employees of GACA, he said.
Cyberattacks this destructive are rare.
Hackers used a version of a specific type of cyberweapon, called Shamoon, which operates like a time bomb.
At 8:45 p.m. local time on Nov. 17, the malicious software started wiping computers at Saudi organizations. All computer files were replaced by the tragic image of a Syrian refugee boy, 3-year-old Alan Kurdi, lying dead on a beach.
The malware then took over the computers' boot record, preventing them from being turned back on.
The hackers timed it so that no employees would be around to stop the destruction. It was Thursday, the last day of the Saudi work week.
But it's too early to blame a specific country, criminal organization or political "hacktivist" group.
"The malware could have been copied by other actors," said CrowdStrike cofounder Dmitri Alperovitch. "We are not yet prepared to make the call."
Alperovitch and others noted that the hack happened just days before oil-pumping OPEC countries agreed to cut oil production for the first time in eight years. There was a lot riding on that deal, which eventually favored Iran, allowing it to boost production in an attempt to reach levels it had before the nation got slapped with international sanctions.
Collin Anderson, one of the world's top experts on Iranian hacking activity, said it's possible Iran used this attack to put pressure on Saudi Arabia.
Iran and Saudi Arabia have been embroiled in a long-running power struggle for influence in the Middle East.
"We've seen a dramatic increase in the level of espionage activity conducted by hacking groups that are connected with the Iranian government," said Anderson, who's working on a research paper for Carnegie Endowment for International Peace that tracks the history of Iranian cyber warfare.
This latest Shamoon strike followed a similar pattern to the devastating attack on Saudi Aramco in 2012. That assault began during the Islamic holy month of Ramadan, when most of the oil company employees were on holiday. Computer files were replaced by images of a burning American flag.
In that instance, a group calling itself "Cutting Sword of Justice" claimed responsibility, citing Aramco's support of the Al Saud royal family's authoritarian regime.
Investigators have not found any claims of responsibility for this past November's attacks.
Eric Chien, technical director at Symantec, said it's striking that hackers used the exact same weapon on yet another Saudi target -- and it worked.
"The malware is rather poorly written, and essentially has been used before. So either GACA did not have any security software installed -- or the security software they had was rather lame and didn't detect it," Wardle said.
-- A previous version of this story indicated Nov. 17, 2016 was Laylat Al Qadr — a religious occasion that took place earlier in the year.