Attacks/Breaches
8/22/2012
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Shamoon, Saudi Aramco, And Targeted Destruction

Still no definitive connection between Shamoon and Saudi Aramco breach, but new clues emerge

The mystery of the data-destroying targeted attack against a Middle East oil organization with the so-called Shamoon malware is still unfolding, as security experts discover more clues, and a self-professed group of hacktivists claims responsibility for downing machines at Saudi Aramco with the very same malware.

Multiple Pastebin posts on the attacks have emerged, including ones attributed to the so-called Arab Youth Group as well as the Cutting Sword Of Justice, each post basically claiming to have hit Saudi Aramco in protest. "Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job," one Pastebin post said, also claiming to have "completely destroyed" 30,000 clients and servers at the oil company. A post signed by the Cutting Sword Of Justice said the attacks were against the "Al-Saud regime," and that the Aramco hack was "the first step" in operations against what it considers "tyranny and oppression."

Symantec last week revealed its findings on Shamoon, a targeted attack that's all about total annihilation of data, not theft like other targeted attacks. Symantec still won't name the actual victim of the attack, only that it's an energy-sector company in the Middle East. Meantime, Saudi Aramco last week announced that it had been hit by a virus that led to the shutdown of many of its internal systems. The company is Saudi Arabia's national oil company and is considered one of the largest in the world.

Researchers at Kaspersky Lab, meanwhile, have spotted a time correlation between the Aramco attack and the date and time found in the Shamoon malcode on Aug. 15. "We can confirm that#Shamoon kill-timer is the same (08:08 UTC) as announced in anons statement here," Aleks Gostev, chief security expert for Kaspersky Lab's Global Research and Analysis Team, said in a tweet this morning. Kaspersky provided more detail on Shamoon's inner workings in a blog post.

Neither Kaspersky nor Symantec would go as far as to confirm that Saudi Aramco was hit by the Shamoon attackers, however.

Aviv Raff, co-founder and CTO at Seculert, says he can't confirm the Shamoon-Saudi Aramco connection, either. "The timing and malware behavior look the same, but this is not hard evidence," Raf says. "Also, the IP address, 10.1.252.19, we saw in the malware samples we analyzed is not in the list on the Pastebin."

Meanwhile, just who the attackers are that have been posting and posturing on Pastebin claiming to be behind the Shamoon malware and to have hacked Saudi Aramco, has been debated. Were they pure hacktivists as they claim? Or hired guns for Iran, as Jeffrey Carr, CEO of Taia Global, believes?

Carr confirmed his suspicions with Dark Reading that Iran may have commissioned these attacks by the hacker group or groups.

"I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Aramco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil," Carr wrote in a blog post today.

"Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker," Carr says.

[ Deja vu all over again as Iranian government-owned systems reportedly targeted by a 'worm.' See Iran: Oil Industry Hit By Malware Attack. ]

Darin Andersen, vice president and general manager for Norman North America, says his firm can't confirm a link between the Arab Youth Group/Sword of Justice and Shamoon, but there may well be one, albeit a bit circuitous: "I am also not convinced 100% that there is not a state tie here. What better way to cover your tracks," Andersen says.

Attempts to reach Saudi Aramco have been unsuccessful, but the oil company did post a statement on its website last week confirming a virus attack on its PCs, noting that its production systems had not been affected. The oil company "isolated all its electronic systems from outside access" as a precaution, the statement said.

So just how did the attack begin? Seculert says evidence indicates it was a two-stage attack that began with the perpetrators wresting control of a machine at the targeted organization and using it as a proxy to the command-and-control server. "Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet," Seculert said in a blog post. "Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sanjambela
50%
50%
Sanjambela,
User Rank: Apprentice
2/23/2017 | 10:20:35 AM
Very interesting
It is a pleasure witnessing the age of cyberwarfare, thing we use to see in the movies, now are becoming real. Like reality now it being designed through fiction. I have a cyber threat presentation to deliver this week and these articles have been of a great help.
20 Questions to Ask Yourself before Giving a Security Conference Talk
Joshua Goldfarb, Co-founder & Chief Product Officer, IDDRA,  10/16/2017
Printers: The Weak Link in Enterprise Security
Kelly Sheridan, Associate Editor, Dark Reading,  10/16/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.