Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Shamoon 3 Targets Energy Sector in Middle East

Italian oil and gas services company Saipem has confirmed that its systems were hit recently by a new variant of the notorious Shamoon malware. Shamoon may have also been used in attacks aimed at other energy sector organizations operating in the Middle East.

Italian oil and gas services company Saipem has confirmed that its systems were hit recently by a new variant of the notorious Shamoon malware. Shamoon may have also been used in attacks aimed at other energy sector organizations operating in the Middle East.

Saipem reported on Monday that some of its servers were hit by a cyberattack, but provided few other details. The company said the attack mainly impacted servers in the Middle East, including Saudi Arabia, the United Arab Emirates and Kuwait, along with some devices in India and Scotland.

After news of the incident broke, some experts immediately suspected a Shamoon-related attack, especially since Saudi Arabian oil giant Saudi Aramco, one of the first victims of Shamoon back in 2012, is a customer of Saipem.Shamoon 3 malware targets oil and gas companies

Saipem has now confirmed that its systems have been hit by a new variant of Shamoon (aka DistTrack), and told Reuters that the incident impacted 300-400 servers and up to 100 PCs of a total of roughly 4,000 machines.

Saipem told SecurityWeek on Tuesday that all its backups were safe and it had been working on restoring impacted servers. The company says no data has been stolen.

However, Saipem may not be the only energy sector victim of the latest Shamoon variant. Forbes reported that Symantec also identified a victim, a heavy engineering company, in the United Arab Emirates.

Earlier this week, Symantec published a report detailing the recent activities of a cyber espionage group dubbed Seedworm and MuddyWater, which has been focusing on gathering intelligence on targets in the Middle East, as well as in North America and Europe.

Iran was blamed for the previous Shamoon attacks and, unsurprisingly, it’s also the main suspect in these latest incidents.

News of a new Shamoon variant, which some have dubbed “Shamoon 3,” emerged earlier this week after Chronicle, a cybersecurity firm of Google’s parent company Alphabet, discovered it on its malware analysis service VirusTotal.

Advertisement. Scroll to continue reading.

Palo Alto Networks has also published an analysis of Shamoon 3 and others are expected to do the same in the upcoming days.

According to Palo Alto Networks, the Shamoon 3 attacks start with a dropper that is responsible for installing communications and wiper modules, along with spreading to other systems on the network using previously stolen credentials.

The Shamoon 3 variant analyzed by Palo Alto Networks and Chronicle has a wipe date set to December 7, 2017 – if the date on the infected system is after this date, the malware will start its malicious routines.

The wiper module is designed to overwrite the master boot record (MBR), partitions and files with random bytes using a legitimate tool called RawDisk made by EIDos. However, Palo Alto Networks says the sample can also be configured to encrypt the content of files or overwrite them with another file, such as in the previous Shamoon attacks when the malware replaced files with an image of a burning US flag. Once the wiping process has been completed, the infected system can no longer boot up.

Palo Alto researchers found that several Shamoon 3 resources have the language identifier set to Yemen, similar to the samples used in the Shamoon 2 attacks.

Related: Iran Hackers Hunt Nuke Workers, US Officials

Related: Shamoon-Linked “StoneDrill” Malware Allows Spying, Destruction

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...