Saudi Aramco and Shamoon
A wiper malware named Shamoon turned 30,000 workstations at the world's largest oil company into bricks, and replaced the boot record with a burning American flag.
On August 15, 2012, in the middle of the Muslim holy month of Ramadan, when a significant fraction of Saudi Aramco's staff was at home, a piece of malware later named Shamoon began executing across the company's corporate Windows network. By the time IT teams reacted, roughly thirty thousand workstations had been wiped — disks overwritten and master boot records replaced with the image of a burning American flag.
A statement, not a heist
Shamoon was not espionage. It exfiltrated little of value. Its purpose was destruction: erase as many drives as possible in a single coordinated burst, and leave behind a signature designed to be photographed. A group calling itself the Cutting Sword of Justice claimed credit and listed grievances related to Saudi foreign policy.
US officials and outside researchers attributed the operation to Iran, framing it as a retaliatory response to Stuxnet and related Western cyber operations against Iranian programs. The technical signal supporting that attribution was less polished than the Shamoon authors apparently intended; the malware contained debugging strings and procedural mistakes a more disciplined operator would have caught.
A long shadow
A near-clone reappeared in 2016 (Shamoon 2) against several Gulf state organizations, and again in 2018 against the Italian oil services contractor Saipem. Each iteration was a reminder that destructive wipers, once written, remain in the global toolkit.
What the chronicle remembers
Shamoon is the case study that put cyber-enabled corporate destruction on the geopolitical map. It made clear that the question facing a CISO at a major energy company is not only whether attackers want the data, but whether they want the company to keep functioning at all.