Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/22/2012
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Shamoon, Saudi Aramco, And Targeted Destruction

Still no definitive connection between Shamoon and Saudi Aramco breach, but new clues emerge

The mystery of the data-destroying targeted attack against a Middle East oil organization with the so-called Shamoon malware is still unfolding, as security experts discover more clues, and a self-professed group of hacktivists claims responsibility for downing machines at Saudi Aramco with the very same malware.

Multiple Pastebin posts on the attacks have emerged, including ones attributed to the so-called Arab Youth Group as well as the Cutting Sword Of Justice, each post basically claiming to have hit Saudi Aramco in protest. "Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job," one Pastebin post said, also claiming to have "completely destroyed" 30,000 clients and servers at the oil company. A post signed by the Cutting Sword Of Justice said the attacks were against the "Al-Saud regime," and that the Aramco hack was "the first step" in operations against what it considers "tyranny and oppression."

Symantec last week revealed its findings on Shamoon, a targeted attack that's all about total annihilation of data, not theft like other targeted attacks. Symantec still won't name the actual victim of the attack, only that it's an energy-sector company in the Middle East. Meantime, Saudi Aramco last week announced that it had been hit by a virus that led to the shutdown of many of its internal systems. The company is Saudi Arabia's national oil company and is considered one of the largest in the world.

Researchers at Kaspersky Lab, meanwhile, have spotted a time correlation between the Aramco attack and the date and time found in the Shamoon malcode on Aug. 15. "We can confirm that#Shamoon kill-timer is the same (08:08 UTC) as announced in anons statement here," Aleks Gostev, chief security expert for Kaspersky Lab's Global Research and Analysis Team, said in a tweet this morning. Kaspersky provided more detail on Shamoon's inner workings in a blog post.

Neither Kaspersky nor Symantec would go as far as to confirm that Saudi Aramco was hit by the Shamoon attackers, however.

Aviv Raff, co-founder and CTO at Seculert, says he can't confirm the Shamoon-Saudi Aramco connection, either. "The timing and malware behavior look the same, but this is not hard evidence," Raf says. "Also, the IP address, 10.1.252.19, we saw in the malware samples we analyzed is not in the list on the Pastebin."

Meanwhile, just who the attackers are that have been posting and posturing on Pastebin claiming to be behind the Shamoon malware and to have hacked Saudi Aramco, has been debated. Were they pure hacktivists as they claim? Or hired guns for Iran, as Jeffrey Carr, CEO of Taia Global, believes?

Carr confirmed his suspicions with Dark Reading that Iran may have commissioned these attacks by the hacker group or groups.

"I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Aramco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil," Carr wrote in a blog post today.

"Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker," Carr says.

[ Deja vu all over again as Iranian government-owned systems reportedly targeted by a 'worm.' See Iran: Oil Industry Hit By Malware Attack. ]

Darin Andersen, vice president and general manager for Norman North America, says his firm can't confirm a link between the Arab Youth Group/Sword of Justice and Shamoon, but there may well be one, albeit a bit circuitous: "I am also not convinced 100% that there is not a state tie here. What better way to cover your tracks," Andersen says.

Attempts to reach Saudi Aramco have been unsuccessful, but the oil company did post a statement on its website last week confirming a virus attack on its PCs, noting that its production systems had not been affected. The oil company "isolated all its electronic systems from outside access" as a precaution, the statement said.

So just how did the attack begin? Seculert says evidence indicates it was a two-stage attack that began with the perpetrators wresting control of a machine at the targeted organization and using it as a proxy to the command-and-control server. "Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet," Seculert said in a blog post. "Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sanjambela
50%
50%
Sanjambela,
User Rank: Apprentice
2/23/2017 | 10:20:35 AM
Very interesting
It is a pleasure witnessing the age of cyberwarfare, thing we use to see in the movies, now are becoming real. Like reality now it being designed through fiction. I have a cyber threat presentation to deliver this week and these articles have been of a great help.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14180
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Service Desk Server and Data Center allow remote attackers authenticated as a non-administrator user to view Project Request-Types and Descriptions, via an Information Disclosure vulnerability in the editform request-type-fields resource. The affected versions are...
CVE-2020-14177
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to impact the application's availability via a Regex-based Denial of Service (DoS) vulnerability in JQL version searching. The affected versions are before version 7.13.16; from version 7.14.0 before 8.5.7; from versio...
CVE-2020-14179
PUBLISHED: 2020-09-21
Affected versions of Atlassian Jira Server and Data Center allow remote, unauthenticated attackers to view custom field names and custom SLA names via an Information Disclosure vulnerability in the /secure/QueryComponent!Default.jspa endpoint. The affected versions are before version 8.5.8, and from...
CVE-2020-25789
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
CVE-2020-25790
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because "admins are considered trustworthy"; however, the behavior "contradicts our secu...