The mystery of the data-destroying targeted attack against a Middle East oil organization with the so-called Shamoon malware is still unfolding, as security experts discover more clues, and a self-professed group of hacktivists claims responsibility for downing machines at Saudi Aramco with the very same malware.
Multiple Pastebin posts on the attacks have emerged, including ones attributed to the so-called Arab Youth Group as well as the Cutting Sword Of Justice, each post basically claiming to have hit Saudi Aramco in protest. "Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job," one Pastebin post said, also claiming to have "completely destroyed" 30,000 clients and servers at the oil company. A post signed by the Cutting Sword Of Justice said the attacks were against the "Al-Saud regime," and that the Aramco hack was "the first step" in operations against what it considers "tyranny and oppression."
Symantec last week revealed its findings on Shamoon, a targeted attack that's all about total annihilation of data, not theft like other targeted attacks. Symantec still won't name the actual victim of the attack, only that it's an energy-sector company in the Middle East. Meantime, Saudi Aramco last week announced that it had been hit by a virus that led to the shutdown of many of its internal systems. The company is Saudi Arabia's national oil company and is considered one of the largest in the world.
Researchers at Kaspersky Lab, meanwhile, have spotted a time correlation between the Aramco attack and the date and time found in the Shamoon malcode on Aug. 15. "We can confirm that#Shamoon kill-timer is the same (08:08 UTC) as announced in anons statement here," Aleks Gostev, chief security expert for Kaspersky Lab's Global Research and Analysis Team, said in a tweet this morning. Kaspersky provided more detail on Shamoon's inner workings in a blog post.
Neither Kaspersky nor Symantec would go as far as to confirm that Saudi Aramco was hit by the Shamoon attackers, however.
Aviv Raff, co-founder and CTO at Seculert, says he can't confirm the Shamoon-Saudi Aramco connection, either. "The timing and malware behavior look the same, but this is not hard evidence," Raf says. "Also, the IP address, 10.1.252.19, we saw in the malware samples we analyzed is not in the list on the Pastebin."
Meanwhile, just who the attackers are that have been posting and posturing on Pastebin claiming to be behind the Shamoon malware and to have hacked Saudi Aramco, has been debated. Were they pure hacktivists as they claim? Or hired guns for Iran, as Jeffrey Carr, CEO of Taia Global, believes?
Carr confirmed his suspicions with Dark Reading that Iran may have commissioned these attacks by the hacker group or groups.
"I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Aramco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union. Iran warned Saudi Arabia against boosting production last January after the Kingdom's oil minister pledged to boost production if there was a demand for more oil," Carr wrote in a blog post today.
"Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group). Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker," Carr says.
[ Deja vu all over again as Iranian government-owned systems reportedly targeted by a 'worm.' See Iran: Oil Industry Hit By Malware Attack. ]
Darin Andersen, vice president and general manager for Norman North America, says his firm can't confirm a link between the Arab Youth Group/Sword of Justice and Shamoon, but there may well be one, albeit a bit circuitous: "I am also not convinced 100% that there is not a state tie here. What better way to cover your tracks," Andersen says.
Attempts to reach Saudi Aramco have been unsuccessful, but the oil company did post a statement on its website last week confirming a virus attack on its PCs, noting that its production systems had not been affected. The oil company "isolated all its electronic systems from outside access" as a precaution, the statement said.
So just how did the attack begin? Seculert says evidence indicates it was a two-stage attack that began with the perpetrators wresting control of a machine at the targeted organization and using it as a proxy to the command-and-control server. "Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet," Seculert said in a blog post. "Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio