Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10:25 AM

Dustman Attack Underscores Iran's Cyber Capabilities

For nearly six months, an attack group linked to Iran reportedly had access to the network of Bahrain's national oil company, Bapco, before it executed a destructive payload.

On December 29, a group of attackers used a data-deleting program known as a "wiper" to attempt to destroy data on systems at Bahrain's national oil company, overwriting data with a string of characters including the phrases "Down With Bin Salman" and "Down With Saudi Kingdom," according to multiple analyses.

While the destructive malware, dubbed "Dustman" by the Saudi National Cyber Security Centre (NCSC), differs from previous wiper attacks, many of its techniques link the code to Shamoon and ZeroCleare, two data-destroying programs used by Iranian-linked groups to target firms in the Middle East. In addition, while the group behind Dustman had access to the victim's network since July 2019, they only executed the wiper code on December 29, the same day that the United States retaliated for the death of an American contractor by bombing Iranian-linked targets in Syria and Iraq.

The attack deleted the data on most of the victim's computers, according to other NCSC analysis.

"Just because it is anti-Saudi does not make it necessarily Iranian," says Dmitriy Ayrapetov, vice president of platform architecture at SonicWall. "But because it is so related in techniques and modules that it uses [when compared] to the previous two attacks that have been attributed to Iran, we can — with fairly clear confidence — say this is a continuation of the campaigns of Iranian hacking groups."

The attack demonstrates both the technical capabilities of the group behind Dustman and the level of access that it has to networks in the Middle East.

The attackers gained access by using a vulnerability in the company's virtual private networking software, used the antivirus management server to distribute the malware, manually deleted data on the company's storage servers, and then deleted the VPN access logs to hide their tracks. However, the attack missed some machines on the network because they had been in sleep mode.

"Based on analyzed evidence and artifacts found on machines in a victim's network that were not wiped by the malware, NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC [operational security] failures observed on the infected network," NCSC stated in its analysis.

Iranian-linked groups — the two major actors known as APT33 and APT34 — have been active for some time in the Middle East and against US targets. A 2-year-old vulnerability in Microsoft Outlook, for example, has been used to attack companies because of the complexity of patching the issue correctly.

The NCSC report did not name the target, but both press reports and security firm's analyses indicated that the victim was the Kingdom of Bahrain's national oil company.

While Iranian espionage and hacking groups may be best known for their destructive attacks, the groups are also quite adept at stealing data and other intelligence operations, says Adam Meyers, vice president of intelligence at CrowdStrike.

"Dustman is one of the destructive [and] disruptive tools that we associate with Iranian government-affiliated threat actors, though we have not associated it directly to any of the groups CrowdStrike tracks at this time with any degree of confidence," Meyers says, adding "Iran has deployed destructive wipers several times over the years. They are more commonly engaged in intelligence collection intrusions, but they have been known to use wipers."

The NCSC report stated that the initial infiltration occurred in July 2019 using a vulnerability in a virtual private network (VPN) application. A critical vulnerability in Pulse Secure's VPN software has been used in several attacks — most recently, it was purportedly used in the breach of travel-service provider Travelex — but none of the analyses linked that specific vulnerability to the Dustman incident.

The attack also used legitimate, signed drivers with known vulnerabilities to bypass some Windows security features, says SonicWall's Ayrapetov. The attackers first load the driver, for the virtual machine software VirtualBox, and then exploit the driver to load a different untrusted driver to overwrite data, SonicWall stated in its analysis.

"They load an old signed driver that is vulnerable, and then they exploit that vulnerability and load the modules from a legitimate piece of software to do the wiping attack," he says. "They are hijacking legitimate functionality to bypass some of the Windows security controls."

The use of the antivirus management console should also be noted by security teams, Yaron Kassner, chief technology officer of cybersecurity firm Silverfort, said in a statement.

"Highly privileged service accounts are a top target for hackers because once compromised, they can be exploited to reach sensitive systems and gain control over them," he said. "These accounts can pose significant risk to corporate networks. Therefore it is important to monitor and restrict access of such service accounts."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "6 Unique InfoSec Metrics CISOs Should Track in 2020."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
A potential vulnerability has been identified in HPE OneView Global Dashboard release 2.31 which could lead to a local disclosure of privileged information. HPE has provided an update to OneView Global Dashboard. The issue is resolved in 2.32.
PUBLISHED: 2021-06-24
Improper sanitization of path in default RouteNotFoundError view in com.vaadin:flow-server versions 1.0.0 through 1.0.14 (Vaadin 10.0.0 through 10.0.18), 1.1.0 prior to 2.0.0 (Vaadin 11 prior to 14), 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), and 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 1...
PUBLISHED: 2021-06-24
URL encoding error in development mode handler in com.vaadin:flow-server versions 2.0.0 through 2.6.1 (Vaadin 14.0.0 through 14.6.1), 3.0.0 through 6.0.9 (Vaadin 15.0.0 through 19.0.8) allows local user to execute arbitrary JavaScript code by opening crafted URL in browser.
PUBLISHED: 2021-06-24
The vgacon subsystem in the Linux kernel before 5.8.10 mishandles software scrollback. There is a vgacon_scrolldelta out-of-bounds read, aka CID-973c096f6a85.
PUBLISHED: 2021-06-24
A vulnerability in agent program of HelpU remote control solution could allow an authenticated remote attacker to execute arbitrary commands This vulnerability is due to insufficient input santization when communicating customer process.