Security Experts:

Shamoon Wiper Attacks Return to the Gulf

Destructive Malware Hit Targets in Saudi Arabia Set to Wipe Disks on Nov 17.

Four years after it first brought havoc to oil giant Saudi Aramco, the Shamoon/Disttrack malware has reappeared in the Gulf. In 2012 it wiped the disks of some 30,000 computers in an apparent attempt to stop Saudi oil production. Now it is back, apparently attacking several organizations in the region.

FireEye reported yesterday that its incident response and forensics company Mandiant had in mid-November "responded to the first Shamoon 2.0 incident against an organization located in the Gulf states. Since then, Mandiant has responded to multiple incidents at other organizations in the region."

Similarly, Symantec reported, "Shamoon (W32.Disttrack), the aggressive disk-wiping malware which was used in attacks against the Saudi energy sector in 2012, has made a surprise comeback and was used in a fresh wave of attacks against targets in Saudi Arabia."

Shamoon Wiper Attacks Resurface in the Middle EastThe targets themselves have not been named, nor is there any public news of 'destruction' on the scale of the 2012 Aramco incident. Either the victims are keeping the attacks quiet, or modern anti-malware products caught and stopped the malware from doing too much damage. Such information is only likely to emerge slowly.

Shamoon 2.0 is a reworked version of the original malware, and analysts are suggesting that similarities in the attack methodology suggest the same attackers. In 2012 a hacking group calling itself the Cutting Sword of Justice claimed responsibility; but the general consensus was that it was an Iranian state-sponsored attack.

Components within Shamoon 2.0 are the same as those used in the original version. It uses the commercial disk wiping tool, RawDisk by EldoS Corporation, which provides direct access to files, disks and partitions. This can be configured in one of three overwrite methods: encryption using a random key and RC4; overwriting the content with the same random values that would be used for the encryption; or overwriting the files and partition tables with a JPEG image.

In both 2012 and 2016, the method used is the JPEG. In 2012 it was an image of a burning Stars and Stripes flag, while in 2016 it was the iconic image of the drowned Syrian refugee child, Alan Kurdi.

The driver used for RawDisk was the same in both attacks. It relies on a temporary license that ran out in August 2012. Shamoon 2.0 simply reset the system clock. "This modification to the system time was seen in the previous campaign, and the temporary license key within the wiper component is the exact same as wiper component from the 2012 attacks," reports Palo Alto's Unit 42 research team.

Unit 42 also suggests that Shamoon 2.0 is focused solely on destruction, "as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45." Just as in the 2012 attack, this is the end of the working week in Saudi Arabia, leaving the entire weekend to spread and cause maximum damage.

The method of spreading within the target indicates a well-planned campaign. First, the malware tries to access the ADMIN$, C$\Windows, D$\Windows, and E$\Windows shares on the target systems with current privileges. But if current privileges are not enough, "it uses hard coded, domain specific credentials (privileged credentials, likely Domain Administrator or local Administrator) gained during an earlier phase of the attack to attempt the same," reports FireEye.

Nobody is yet naming either the victims or the perpetrator. The general consensus is that it is the same attacker as in 2012. That points the finger at Iran. Dmitri Alperovitch,Crowdstrike Co-founder and CTO, claims the 2012 attack was "driven by Iranian intelligence requirements stemming, at least in part, from international sanctions activities impacting the country's economy." It goes on to link the new attack to "the 171st meeting of the Organization of the Petroleum Exporting Countries (OPEC) conference in Vienna, where consensus was reached on the implementation of first oil production cuts in 8 years."

Against this argument, OPEC limiting production should benefit the Iranian economy by lifting oil prices -- which has already happened. Meanwhile, F-Secure's Sean Sullivan tweeted, "Is Iran engaged in The Cyber (Shamoon attacks) during the lame duck period? Audacious." 

When asked who the attacker might be and why, he told SecurityWeek, "Iran. Because, Yemen (et cetera). This is an ongoing part of the cold war / proxy war that's going on between Saudi Arabia and Iran. Why now? Perhaps Iran feels emboldened to act in the cyber realm during the 'lame duck' period in the USA. It's probably a good way to test the incoming administration's reaction."

Given President-elect Trump's well-known hardline position against Iran, that could indeed be at least a secondary motive. Nevertheless, despite current indications, it would be wrong to categorically ascribe the Shamoon 2.0 attacks to Iran. Without further proof, that would be premature. Mandiant might have that proof, but it isn't yet public.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.