Skip to main content
Mallory
Back to threat actors
1 malware family

Cutting Sword of Justice

Also known ascutting_sword_of_justice

Cutting Sword of Justice is the name used by the actors who claimed responsibility for the August 15, 2012 destructive malware attack against Saudi Aramco. In the reporting provided, the group presented itself as an activist or hacktivist group angered by Saudi policies in the Middle East and said the operation was retaliation for what it described as oppressive measures. The group claimed its malware destroyed about 30,000 Saudi Aramco computers, roughly three-quarters of the company’s systems, and posted alleged infected IP addresses on Pastebin as proof. It also threatened a follow-on attack. The attack is repeatedly associated in the content with Shamoon, also referred to as Disttrack, a destructive wiper that erased data and rendered systems unusable. Reporting cited in the content states the malware wiped documents, spreadsheets, and emails, and replaced files with an image of a burning American flag. Saudi Aramco isolated its electronic systems from outside access and shut down internal corporate services to contain the incident; the content states production systems were not affected because office systems were segregated from production-control systems. The content also links the name Cutting Sword of Justice to later reporting on Shamoon 2.0 in 2016, describing it as a reworked version of the 2012 Shamoon malware. That reporting says the malware used embedded privileged credentials, propagated laterally via administrative shares, enabled Remote Registry, modified LocalAccountTokenFilterPolicy, copied itself to remote systems, scheduled execution, and then wiped systems at a hard-coded time. Multiple sources in the content describe Cutting Sword of Justice as a suspected Iranian attacker group or state-linked actor, and some reporting says U.S. intelligence officials assessed Iran was the real perpetrator of the Aramco attack, possibly in retaliation for Stuxnet. However, the same content also notes that public claims under the Cutting Sword of Justice name may have been deceptive or a red herring, and that specific evidence was not provided in those reports. High-confidence aliases directly supported by the content are limited to "Cutting Sword of Justice."

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Energy

Where they target

Geographies tied to known operations.

  • 🇸🇦 Saudi Arabia
MITRE ATT&CK

Tradecraft

4 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

2 of 15 tactics5 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
1 technique
T1566
Phishing
T1566.001
Spearphishing Attachment
TA0040
Impact
2 techniques
T1485×2
Data Destruction
T1491
Defacement
T1491.001
Internal Defacement
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ShamoonThe virus, named Shamoon after a word in its code, was designed to overwrite critical files with an image of a burning American flag.4May 26, 2026
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
fireeyeNews
Dec 1, 2016
FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region

Suspected Iranian-linked destructive operations using the Shamoon (Disttrack) wiper, including the 2012 incident and discussion of later Shamoon 2.0 activity in the Gulf region.

Read more
web archiveNews
Dec 17, 2014
The Evidence That North Korea Hacked Sony Is Flimsy | WIRED

Claimed responsibility for the Shamoon attack against Saudi Aramco and framed the operation as politically motivated hacktivism, using public messaging to recruit like-minded anti-tyranny hacker groups.

Read more
new york timesNews
Oct 24, 2012
Cyberattack on Saudi Oil Firm Disquiets U.S. - The New York Times

Claimed responsibility for the destructive sabotage attack against Saudi Aramco that erased data on a large portion of corporate PCs.

Read more
new york timesNews
Aug 23, 2012
Hackers Lay Claim to Saudi Aramco Cyberattack - The New York Times

Claimed responsibility for a destructive malware attack against Saudi Aramco, saying they infected company workstations, destroyed large numbers of computers, and threatened a follow-on attack.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping4

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.