By Stephen Jewkes and Jim Finkle
MILAN/NEW YORK (Reuters) - A hack on Italian oil services firm Saipem (MI:SPMI) that crippled more than 300 of the company's computers used a variant of the notorious Shamoon virus, Saipem said, a development that links the case to a massive attack in 2012 on Saudi Aramco.
"The cyber attack hit servers based in the Middle East, India, Aberdeen and in a limited way Italy through a variant of Shamoon malware," the company said in a statement on Wednesday.
Work is under way "in a gradual and controlled manner" to fully restore operations after the attack, it said.
The Shamoon virus was used in some of the most damaging cyber attacks in history, starting in 2012 when it crippled tens of thousands of computers at Saudi Aramco and RasGas Co Ltd in the Middle East - attacks that cybersecurity researchers said were conducted on behalf of Iran.
Saudi Aramco is Saipem's biggest customer.
The attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines, the company's head of digital and innovation, Mauro Piasere, told Reuters.
No data will be lost because the company had backed up the affected computers, he said. The company said it first identified the attack on Monday.
Piasere said the company does not know who was responsible for the attack.
However, Adam Meyers, vice president with U.S. cybersecurity firm CrowdStrike, said he believed Iran was responsible because early technical analysis of the new Shamoon variant showed similarities to the 2012 campaign.
Shamoon disables computers by overwriting a file known as the master boot record, making it impossible for devices to start up. Former U.S. Defense Secretary Leon Panetta has said the 2012 hack of Saudi Aramco was probably the most destructive cyber attack on a private business.
Shamoon went dormant until it resurfaced in late 2016 in a series of Middle East attacks that continued through early 2017.
"It went dark for a long time and it seems to be back," said Eric Chien, senior researcher at cybersecurity firm Symantec (NASDAQ:SYMC). "The question is whether any others were affected by it."
Security researchers widely believe that people working on behalf of the Iranian government were behind previous Shamoon attacks, which Tehran strongly denies. Anti-U.S. imagery was found in the code, researchers have said.
Officials in Iran could not be reached for comment.
Saipem, one of the world's largest subsea engineering and construction firms, is controlled by Italian state lender CDP and oil firm Eni (MI:ENI).