Shamoon Resurfaces to Attack Important Saudi Targets

The Shamoon malware has resurfaced, and has been identified as the agent responsible for a hack that destroyed computers at six important Saudi organizations two weeks ago.

The cyberweapon, last used to sabotage 35,000 computers at the oil company Saudi Aramco, has attacked the state aviation regulator, General Authority of Civil Aviation, as well as organizations in the energy and manufacturing sectors, according to sources speaking to CNN. According to the reports, the malware contained embedded credentials that allowed the malware to surreptitiously move throughout the network and plant logic bombs. The virus wiped machines, and all computer files were replaced by the image of a Syrian refugee boy, 3-year-old Alan Kurdi, lying dead on a beach.

Saudi Arabia's state news agency confirmed this week that a cyberattack occurred "on various government institutions and agencies,” and that "the attacks aimed at disabling all equipment and services that were being provided. The attackers were stealing data from the system and were planting viruses.”

 “Malware like Shamoon is analogous to finding an unexploded WWII bomb in the ground,” said John Worrall, CMO at CyberArk, in a blog. “It’s been seemingly dormant for years, but when uncovered, it remains incredibly dangerous with the potential to devastate. Agile cyber attackers have become expert at reconstituting old weaponry for new attacks—we can expect this trend to continue throughout 2017.”

While it’s natural to focus on the devastation malware like this can cause, understanding the pathway the malware had to travel is key to mitigation, he added. Hijacked administrator credentials enable attackers to enter the network undetected and they continue to elevate those privileges until they find a landing point to inflict maximum damage.

“In this case, the attack was likely initiated using a worm, which is how Shamoon operated historically,” Worrall said. “Propagation can occur by accessing shares in the network or through other remote access, using stolen credentials. Another possible way to gain this access network-wide is through group policy object (GPO) configuration from the Domain Controller that is distributed to domain-connected machines.”

No claims of responsibility have yet been made for the attacks, which started Nov. 17. But Tom Kellermann, CEO of Strategic Cyber Ventures, said that this signals a ramping up of nation-state activity.

"Cybercrime has migrated from burglary to home invasion! Destructive attacks are occurring but are not being reported,” Kellermann said. “Data integrity attacks such as Shamoon are now the result of geopolitical tension and oftentimes manifest as counter incident response. Be careful of shutting down that command and control."

Photo © Andrew V. Marcus/Shutterstock.com

What’s Hot on Infosecurity Magazine?