Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:35 PM
Connect Directly

The Data-Annihilation Attack Is Back

Old-school but painful data-destroying malware attacks in the Middle East a red flag to revisit incident response, recovery

The data-destroying Shamoon malware and recent wave of aggressive targeted attacks against utilities in the Middle East should serve as a wake-up call for all types of organizations to be prepared for a whole other aspect of a breach -- losing data and systems to destructive hacks.

Data-destruction attacks are not new, but have been rare in the past decade or so as financially motivated cybercrime and cyberespionage have been at the forefront of threats mainly focused on monetizing stolen information. Hacktivists, meanwhile, have employed data-wiping from time to time, but not in the volume or mass approach that Shamoon can accomplish.

Richard Bejtlich, chief security officer at Mandiant, says these recent attacks should serve as a cautionary tale for all types of organizations. "This is something everybody should worry about ... This ability to destroy people's computers and wipe them clean has been around a couple of decades, but it has taken mass events, probably caused by the Iranian government and its proxies, to wake people up," he says. "Utilities are just one victim, chosen for economic and political reasons: It could be anybody."

And Shamoon already is being repurposed for attacking additional victims: Seculert has discovered Shamoon variants already. "We've seen variants with different internal-machine IP addresses used for proxy to send information," says Aviv Raff, co-founder and CTO at Seculert. It's likely the Shamoon attackers because the malware is the same, but with new internal IP addresses, he says. Raff was unable to comment on who the next targets may be, however.

Shamoon, which has been unofficially linked to a recent breach at oil giant Saudi Aramco that took down 30,000 of its workstations, doesn't spy or steal information -- it deletes it, wiping files and data and crippling the infected machines themselves by overwriting the victim machine's master boot record, which disables it altogether. It also includes a reporting feature that logs the progress of the attack for the attacker.

Despite its nasty effects, Shamoon is actually a fairly rudimentary piece of malware. Researchers from AlienVault Labs and Kaspersky Lab separately have analyzed the code and concluded that it's likely the work of amateur coders. There are errors in the code that aren't characteristic of seasoned programmers.

Dmitry Tarakanov, a Kaspersky Lab Expert, says the way Shamoon is constructed makes it relatively simple to tweak and reuse against another target. "We can single out three objects in Shamoon malware that could be taken as some sort of configuration. They are killer time, address of CNC [command and control], and network range from where Shamoon tries infecting computers," he says. "The first two parameters can be easily reconfigured, whilst the last one requires rewriting [the Shamoon code] a little bit. So [an] attacker can adjust those settings, recompile [the] program, and reuse it against new target."

The wiper component could easily be packaged with other malware since it doesn't rely on the Shamoon code, says Jaime Blasco, manager of AlienVault Labs. But attackers may instead want to roll their own data-annihilation malware since Shamoon is now on the radar of most antivirus products: "On the other hand, it will be better to write your own code using the main idea of Shamoon rather than using the actual components due to the high antivirus detection ratio for Shamoon," Blasco says.

Most organizations probably aren't thinking they could be the next victim of a Shamoon or Shamoon-type attack. Neither Saudi Aramco nor Qatar's RasGas -- which was hit by a similar attack late last month -- have said their data was wiped in the attacks, nor have either pointed to Shamoon as the culprit.

Mandiant's Bejtlich says he doubts many organizations have considered the possibility of the widespread destruction of computers in their incident response plan. "In my last job, we didn't have that. What if tens of thousands of machines were bleeding? That would have swamped our help desk and IT department. I'm not sure how IT would have supported getting people back online while having to do their regular business" of handling the enterprise servers and network, he says.

The scorched-earth-type attack would pose a big challenge for most IT departments, he says. IT departments would have to deal with getting the company's critical servers cleaned and back online, for example, potentially leaving end users to fend for themselves. Trying to restore tens of thousands of user machines to a "gold" image would be problematic, he says, especially if users tried to do it themselves.

[ Containing the attacker in today's persistent threat environment. See Damage Mitigation As The New Defense. ]

"They might not get patched, or need to have their own data restored," Bejtlich says. "I get scared just thinking about it."

It takes a comprehensive IR plan that goes hand-in-hand with a disaster recovery plan, he says. "And you need a program out there for finding these guys before they execute their mission: If their mission is to destroy [data], you've got to get ahead of that mission. I'm still an advocate for fast detection and response," Bejtlich says.

Even once a machine is cleaned up and restored, the attacker could still be inside and just start all over again, deleting and destroying. So an organizations need to determine whether the attackers are still inside, and what they used to gain access in the first place, he says.

AlienVault's Blasco recommends that enterprises use the same security technologies they use for detecting other malware, but also ensure they have a proper backup system in place in case they are hit with a data-deleting attack. "You also have to have backup systems so you can recover the data in case malware is able to remove the data from your systems," he says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-11-23
A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries, which loop indefinitely in mathematics processing while retaining locks. This issue affects: MongoDB Inc. MongoDB Server v4.0 versions prior to 4.0.5; v3.6 versions prior to 3.6.10; v3.4...
PUBLISHED: 2020-11-23
Use after free vulnerability in EDK II may allow an authenticated user to potentially enable escalation of privilege, information disclosure and/or denial of service via adjacent access.
PUBLISHED: 2020-11-23
Logic issue EDK II may allow an unauthenticated user to potentially enable denial of service via adjacent access.
PUBLISHED: 2020-11-23
Out of bounds write in Intel(R) PROSet/Wireless WiFi products on Windows 10 may allow an authenticated user to potentially enable denial of service via local access.
PUBLISHED: 2020-11-23
Improper input validation in BlueZ may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.