Other details don't match up. For example, an internal network IP address used by the Shamoon samples analyzed by antivirus vendors was not present in a list of Aramco internal IP addresses released in a separate Pastebin post by the hackers on Aug. 17.
"This might mean that those samples are part of an attack on a different entity," Aviv Raff, the chief technology officer at security firm Seculert, said Thursday via email. "Or, this is indeed part of the attack against Aramco, but the attackers decided not to share this IP address in the pastes."
In yet another Pastebin post published Wednesday, possibly by the same hackers, they threaten to attack Aramco a second time on Aug. 25 at 21:00 GMT, Raff said.
In its original announcement, the "Cutting Sword of Justice" hacktivist group said that it targeted Aramco because it is the main financial source for Saudi Arabia's Al Saud regime, which the group claims supported oppressive government actions in countries like Syria, Bahrain, Yemen, Lebanon, or Egypt.
However, not everyone is convinced by its alleged anti-government-oppression agenda. "I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union," cybersecurity expert and analyst Jeffrey Carr said Tuesday in a blog post.
"Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group)," Carr said. "Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker."
"During our analysis of the Shamoon malware we noticed an error in the data comparison routine," Kaspersky's Gostev said. "In our experience, such programming errors are not commonly found in sophisticated cyber-weapons; however, we currently do not have enough tangible evidence to determine what type of threat actors or groups were behind Shamoon."
Back in April, computers from Iran's oil ministry were also attacked using a piece of malware with data-wiping functionality. That malware has never been identified, but Kaspersky Lab researchers concluded last week, based on known technical details, that Shamoon was most likely not involved in those attacks.
However, Shamoon might be a copycat of the wiper malware used in Iran that was created by hackers inspired by that incident, the Kaspersky researchers said at the time.