Throwback Attack: Dustman malware strikes Bahrain’s national oil company

Image courtesy: CFE Media and Technology
Courtesy: CFE Media and Technology

A constant fear in the cybersecurity field is that the next major cyberattack could be on critical infrastructure. Cybersecurity experts are always preparing for the next Colonial Pipeline or JBS meat company to be infiltrated. According to an article from Verve, “attacks on critical infrastructure increased by 3,900% from 2013 to 2020 (Gartner).” Other countries were not impervious to such attacks, either. For example, Bahrain’s national oil company was struck in 2019 with the Dustman malware; however, this attack didn’t have the same outcome as Colonial.

With the ever-evolving threat landscape, predicting the next victim and the result of that attack has become close to impossible. Everyone can be susceptible to an attack at any time, and attacks on critical infrastructure are especially dangerous due to how many people can be affected. For instance, Bapco’s customers extend across not only different countries, but continents, as well.

Cyberattack on Bapco

Iran and Saudi Arabia have long had a strained relationship, due to religious differences and competing against each other in the oil export market. Iran also has a history of attacking companies in the oil and gas sector, including those tied to the Saudi regime and Saudi Aramco. Bahrain, a small island country in the Persian Gulf and a business partner of Saudi Aramco, recently felt the brunt of one such attack. On Dec. 29, 2019, Iranian state-sponsored hackers unveiled a new malware strain called Dustman in an attack on Bapco, Bahrain’s national oil company.

According to the report released by Saudi Arabia’s National Cybersecurity Authority (NCA), the attackers obtained initial access to the victim’s network by exploiting a remote execution vulnerability in a VPN appliance, which allowed them access to the VPN server. Then, the attackers gained domain admin and service accounts on the victim’s network, enabling them to run Dustman on the victims’ systems. The antivirus management console service account was used to distribute the malware across the network.

Dustman malware was designed to destroy data once a computer is infected. However, only some of the computers on the Bapco network were impacted, so the attack did not cause as much damage it could have. The oil company was able to detect and contain the attack, which allowed them to continue their services afterward.

The industries most commonly targeted with Dustman are government agencies, infrastructure, academic institutions and commercial. At the time of this attack, Bapco was the only victim, but that doesn’t mean they were the only original target. According to a ZDNet article, “attackers don’t seem to have planned to deploy Dustman at the time they did, but appear to have triggered the data-wiping process as a last-ditch effort to hide forensic evidence after they made a series of mistakes that would have revealed their presence on the hacked network.”

Because of their rushed efforts, the attackers made mistakes, and the malware didn’t deploy properly, so Bapco officials learned of the attack the next day. They were able to find Dustman because some workstations were in sleep mode during the attack. When the computers were started, the system tried to execute the malware, but the antivirus was back online and able to prevent the damaging effects.

Dustman malware

Iranian state-sponsored hackers are known for developing data-wiping malware and have three strains linked to them so far. In 2012, Shamoon malware destroyed more than 35,000 workstations at Saudi Arabia’s national oil company. The effects of that attack lasted for weeks, and later threat actors created other versions of Shamoon. The second strain Iranians are linked to is ZeroCleare, which was discovered in September 2019. ZeroCleare is the predecessor to the more advanced and third Iranian data-wiping malware, Dustman.

Dustman contained all needed drivers and loaders, and they were delivered in one executable file, unlike ZeroCleare, which delivered loaders in two files. However, all three types of malware use EldoS RawDisk, which is a legitimate software toolkit that interacts with files, disks and partitions and allows users to bypass security restrictions put in place by Windows operating systems. EldoS RawDisk was originally created to help with data recovery and to undelete software.

Protecting against Dustman-style attacks

The takeaway from this attack, similar to countless other cyberattacks, is that anyone can be a target. If the attack hadn’t been rushed, Bapco, which produces more than one-sixth of the crude oil originating from Bahrain, could have been in serious trouble. According to Bapco’s website, more than 85% of their refined products and crude oil are sent to countries across Africa, the Middle East, the Far East and Southeast Asia. Every country that is a customer of Bapco would have been affected by this attack.

But while anyone can be a target, that doesn’t mean there’s nothing you can do to prepare for an attack. Strengthening cybersecurity should always be a priority. According to a LightEdge Solutions article, best practices for cybersecurity against attacks similar to Dustman are the following:

  • Geo block business IP addresses via firewalls against nations that don’t do business with your company.
  • Use multifactor authentication, which is a must for VPNs, firewalls, network routers and financial systems.
  • Patch any vulnerabilities found.
  • Monitor and log so an employee can respond quickly to any anomalies.



Keep your finger on the pulse of top industry news