Security Experts:

Saudi Aviation Agency Downplays Impact of Shamoon Attack

Saudi Arabia’s General Authority of Civil Aviation (GACA) has confirmed that several government agencies, including its own systems, have been hit by the recent Shamoon 2.0 attacks, but downplayed the impact of the incident.

Shamoon, aka Disttrack, is a disk-wiping malware that became widely known in 2012, when it damaged 35,000 computers belonging to national petroleum and natural gas company Saudi Aramco.

Security firms noticed recently that a new version of the malware, dubbed Shamoon 2.0, has been used in attacks aimed at Arab states of the Persian Gulf, but little is known about the victims.

Bloomberg reported last week that several government agencies were targeted and named GACA. Sources told the publication that the attackers erased critical data and brought operations to a halt for several days. Thousands of computers were reportedly “destroyed” at the agency, but only office administration systems were affected.

In a statement published on its website, the aviation agency said the attack targeted various sectors, including the country’s transportation sector. GACA has confirmed that its systems were targeted, but claims its website and critical aviation systems were not impacted thanks to “security measures.”

According to the organization, the hackers did not breach air navigation systems or any major airport networks, including HR, financial, aviation permit and security badge, and airport support and operations systems.

“From the beginning of the attack in the past few days, GACA have noticed its impact on some of employees desktop pcs and their official emails, requiring us to immediately implement some necessary measures to deal with such incidents, where a complete isolation of the infected devices from the main network,” the agency stated.

“Work have already started to restore the infected data in a secure fashion. Efforts to provide employees with virus free and sound equipment was implemented immediately to enable them to carry on their workloads. Service was restored to the affected systems after a temporary injunction on the device was implemented as a precautionary measure for some time,” it added.

Shamoon 2.0 is similar to the original malware and the attack method suggests that the new campaign was carried out by the same threat actor that breached Saudi Aramco in 2012. A group calling itself the “Cutting Sword of Justice” took credit for the 2012 attack, but many believe the Iranian government was behind the operation.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.