The Data-Annihilation Attack Is Back

The data-destroying Shamoon malware and recent wave of aggressive targeted attacks against utilities in the Middle East should serve as a wake-up call for all types of organizations to be prepared for a whole other aspect of a breach -- losing data and systems to destructive hacks.

Data-destruction attacks are not new, but have been rare in the past decade or so as financially motivated cybercrime and cyberespionage have been at the forefront of threats mainly focused on monetizing stolen information. Hacktivists, meanwhile, have employed data-wiping from time to time, but not in the volume or mass approach that Shamoon can accomplish.

Richard Bejtlich, chief security officer at Mandiant, says these recent attacks should serve as a cautionary tale for all types of organizations. "This is something everybody should worry about ... This ability to destroy people's computers and wipe them clean has been around a couple of decades, but it has taken mass events, probably caused by the Iranian government and its proxies, to wake people up," he says. "Utilities are just one victim, chosen for economic and political reasons: It could be anybody."

And Shamoon already is being repurposed for attacking additional victims: Seculert has discovered Shamoon variants already. "We've seen variants with different internal-machine IP addresses used for proxy to send information," says Aviv Raff, co-founder and CTO at Seculert. It's likely the Shamoon attackers because the malware is the same, but with new internal IP addresses, he says. Raff was unable to comment on who the next targets may be, however.

Shamoon, which has been unofficially linked to a recent breach at oil giant Saudi Aramco that took down 30,000 of its workstations, doesn't spy or steal information -- it deletes it, wiping files and data and crippling the infected machines themselves by overwriting the victim machine's master boot record, which disables it altogether. It also includes a reporting feature that logs the progress of the attack for the attacker.

Despite its nasty effects, Shamoon is actually a fairly rudimentary piece of malware. Researchers from AlienVault Labs and Kaspersky Lab separately have analyzed the code and concluded that it's likely the work of amateur coders. There are errors in the code that aren't characteristic of seasoned programmers.

Dmitry Tarakanov, a Kaspersky Lab Expert, says the way Shamoon is constructed makes it relatively simple to tweak and reuse against another target. "We can single out three objects in Shamoon malware that could be taken as some sort of configuration. They are killer time, address of CNC [command and control], and network range from where Shamoon tries infecting computers," he says. "The first two parameters can be easily reconfigured, whilst the last one requires rewriting [the Shamoon code] a little bit. So [an] attacker can adjust those settings, recompile [the] program, and reuse it against new target."

The wiper component could easily be packaged with other malware since it doesn't rely on the Shamoon code, says Jaime Blasco, manager of AlienVault Labs. But attackers may instead want to roll their own data-annihilation malware since Shamoon is now on the radar of most antivirus products: "On the other hand, it will be better to write your own code using the main idea of Shamoon rather than using the actual components due to the high antivirus detection ratio for Shamoon," Blasco says.

Most organizations probably aren't thinking they could be the next victim of a Shamoon or Shamoon-type attack. Neither Saudi Aramco nor Qatar's RasGas -- which was hit by a similar attack late last month -- have said their data was wiped in the attacks, nor have either pointed to Shamoon as the culprit.

Mandiant's Bejtlich says he doubts many organizations have considered the possibility of the widespread destruction of computers in their incident response plan. "In my last job, we didn't have that. What if tens of thousands of machines were bleeding? That would have swamped our help desk and IT department. I'm not sure how IT would have supported getting people back online while having to do their regular business" of handling the enterprise servers and network, he says.

The scorched-earth-type attack would pose a big challenge for most IT departments, he says. IT departments would have to deal with getting the company's critical servers cleaned and back online, for example, potentially leaving end users to fend for themselves. Trying to restore tens of thousands of user machines to a "gold" image would be problematic, he says, especially if users tried to do it themselves.

[ Containing the attacker in today's persistent threat environment. See Damage Mitigation As The New Defense. ]

"They might not get patched, or need to have their own data restored," Bejtlich says. "I get scared just thinking about it."

It takes a comprehensive IR plan that goes hand-in-hand with a disaster recovery plan, he says. "And you need a program out there for finding these guys before they execute their mission: If their mission is to destroy [data], you've got to get ahead of that mission. I'm still an advocate for fast detection and response," Bejtlich says.

Even once a machine is cleaned up and restored, the attacker could still be inside and just start all over again, deleting and destroying. So an organizations need to determine whether the attackers are still inside, and what they used to gain access in the first place, he says.

AlienVault's Blasco recommends that enterprises use the same security technologies they use for detecting other malware, but also ensure they have a proper backup system in place in case they are hit with a data-deleting attack. "You also have to have backup systems so you can recover the data in case malware is able to remove the data from your systems," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.