Thousands of computers belonging to Saudi Arabia’s General Authority of Civil Aviation and at least five other organizations in the country have reportedly been rendered unusable in a destructive wave of cyber attacks in November.
The attacks involved the use of Shamoon, a malware tool that made headlines four years ago for erasing the hard disks of more than 30,000 computers at petroleum giant Saudi Aramco. Though few details of the latest attacks are publicly available, early signs point to Iran as the source of the attacks. But motives remain unclear, Bloomberg News said in a report Thursday, quoting unnamed sources.
The malware, that some have dubbed Shamoon 2, has caused extensive damage at four of the targeted organizations, but defensive measures prevented a similar outcome at the other two organizations, the report said. The attack on Saudi Arabia’s central aviation authority did not cause disruptions to air travel or operational systems, and was confined only to the agency’s office administration systems, Bloomberg added.
Several security vendors this week described the version of Shamoon that was used in the recent attacks as identical to the one that was used in the 2012 attacks on Aramco. The only significant difference is that the images of a burning American flag that were left behind on computers destroyed in the 2012 Shamoon attacks have been replaced by a photo of the body of Alan Kurdi, a 3-year old Syrian refugee who drowned in the Mediterranean in September 2015.
Shamoon, which some vendors refer to also as Disttrack, is malware designed to erase a computer’s Master Boot Record and Volume Boot Record thereby rendering the system unusable. Some experts believed that Iran commissioned the Shamoon attacks on Saudi Aramco to deter Saudi Arabia from increasing its oil output to compensate for falling deliveries from Iran (which were falling due to US-led sanctions).
Bloomberg’s sources this week speculated that the attack might have something to do with the nuclear accord that the US and other major powers reached with Iran last year and which President-elect Donald Trump has threatened to revoke.
Palo Alto Networks said in alert Wednesday that the malware itself consists of three components: a dropper, a communications piece, and the disk wiper. It is designed to spread to as many systems as possible on a local network, typically using stolen credentials belonging to network and system administrators at the target organizations.
As with the 2012 version of Shamoon, the fact that administrator credentials and internal domain names of the targeted organization were embedded in the recent malware attacks as well, suggests the credentials were stolen before the tool was created, Palo Alto Networks threat analyst Robert Falcone said in the blog post.
“This is again similar to the 2012 Shamoon attacks, where compromised but legitimate credentials obtained in advance of the attacks were also hard-coded into the malware to aid in its propagation,” Falcone said.
The new version of Shamoon also has the same commercial disk driver that was used for disk wiping purposes in the original version down to the same trial license key, said vendors that reviewed the new version this week. Since that original trial key only had a 30-day validity period in August 2012, the new malware resets systems' clocks on infected systems back to August 2012 so the wiper can work.
In 2012, the threat actors behind the Saudi Aramco attack launched it during Ramadan, Islam’s holy month, because few IT staffers would be around to quickly respond. Whoever is behind the new Shamoon attacks appear to have adopted a similar tactic by launching the attack on late Thursday, the start of the weekend in Saudi Arabia, Symantec’s threat response team said this week.
Ryan Olson, intelligence director of Unit 42, Palo Alto Networks says his company’s review of Shamoon 2 shows little has changed from the original version four years ago. But little other information is presently available, he says.
“For this research, we don’t have information on the attackers, victims, or motives other than the evidence we have that strongly links these attacks and attackers to the 2012 attacks,” Olson says.
Orla Cox, director of Symantec security response, says the company can confirm only one infected organization at this time. She identifies the organization as being based in Saudi Arabia, but was unwilling to share any details on the nature or scope of the damage that might have been caused.
An executive from FireEye says the company first discovered the new Shamoon attacks about three weeks ago while investigating a breach for a client. But like the other vendors, the FireEye executive too says the company is unable to disclose any details of the victim organization or the breach.
- Shamoon, Saudi Aramco, And Targeted Destruction
- Shamoon Code 'Amateur' But Effective
- Inside The Aftermath Of The Saudi Aramco Breach