Italian oil and gas services company Saipem has confirmed that its systems were hit recently by a new variant of the notorious Shamoon malware. Shamoon may have also been used in attacks aimed at other energy sector organizations operating in the Middle East.
Saipem reported on Monday that some of its servers were hit by a cyberattack, but provided few other details. The company said the attack mainly impacted servers in the Middle East, including Saudi Arabia, the United Arab Emirates and Kuwait, along with some devices in India and Scotland.
After news of the incident broke, some experts immediately suspected a Shamoon-related attack, especially since Saudi Arabian oil giant Saudi Aramco, one of the first victims of Shamoon back in 2012, is a customer of Saipem.
Saipem has now confirmed that its systems have been hit by a new variant of Shamoon (aka DistTrack), and told Reuters that the incident impacted 300-400 servers and up to 100 PCs of a total of roughly 4,000 machines.
Saipem told SecurityWeek on Tuesday that all its backups were safe and it had been working on restoring impacted servers. The company says no data has been stolen.
However, Saipem may not be the only energy sector victim of the latest Shamoon variant. Forbes reported that Symantec also identified a victim, a heavy engineering company, in the United Arab Emirates.
Earlier this week, Symantec published a report detailing the recent activities of a cyber espionage group dubbed Seedworm and MuddyWater, which has been focusing on gathering intelligence on targets in the Middle East, as well as in North America and Europe.
Iran was blamed for the previous Shamoon attacks and, unsurprisingly, it’s also the main suspect in these latest incidents.
News of a new Shamoon variant, which some have dubbed “Shamoon 3,” emerged earlier this week after Chronicle, a cybersecurity firm of Google’s parent company Alphabet, discovered it on its malware analysis service VirusTotal.
Palo Alto Networks has also published an analysis of Shamoon 3 and others are expected to do the same in the upcoming days.
According to Palo Alto Networks, the Shamoon 3 attacks start with a dropper that is responsible for installing communications and wiper modules, along with spreading to other systems on the network using previously stolen credentials.
The Shamoon 3 variant analyzed by Palo Alto Networks and Chronicle has a wipe date set to December 7, 2017 – if the date on the infected system is after this date, the malware will start its malicious routines.
The wiper module is designed to overwrite the master boot record (MBR), partitions and files with random bytes using a legitimate tool called RawDisk made by EIDos. However, Palo Alto Networks says the sample can also be configured to encrypt the content of files or overwrite them with another file, such as in the previous Shamoon attacks when the malware replaced files with an image of a burning US flag. Once the wiping process has been completed, the infected system can no longer boot up.
Palo Alto researchers found that several Shamoon 3 resources have the language identifier set to Yemen, similar to the samples used in the Shamoon 2 attacks.