Throwback Attack: Shamoon returns with a vengeance 

Image courtesy: Brett Sayles
Image courtesy: Brett Sayles

Four years after Shamoon’s initial cyberattack in August of 2012, security experts discovered evidence of a new, yet almost identical, malware targeting organizations in Saudi Arabia once again. The first attack took nearly five months and a complete wipe of the previous computer networks to get back on track, and experts had little information on who to blame as the culprits were never caught or even identified. What they did know is that the hackers behind Shamoon, first detected in December of 2016, wanted to be noticed. 

The new variant of malware began with a phishing email containing an image of a deceased 3-year-old child on a beach. This image contained hidden code that affected computers and gave hackers the ability to rewrite the master boot record (MBR), code used to start a machine, remotely. According to an analysis by Palo Alto Networks, “The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction.” Disttrack, another name for Shamoon, is likened to a worm because of its ability to spread from system to system.

Shamoon returns

While the reason why Shamoon appeared again four years later is unclear, malware experts were able to determine that the attack was configured to start spreading on Nov. 17, 2016, with the intention of wiping data on affected systems in Saudi Arabia. Similar to the first time, the malware was intended to drop at the end of the work week and during the Muslim holiday Lailat Al Qadr. This raised suspicion that hackers hoped to spread the second wave of malware when nobody was working. 

After the threat actors somehow obtained access to credentials of the targeted organization, the malware was carefully orchestrated and timed so it could infect the targeted network rapidly. The holiday weekend would also allow it to spread freely without intervention from cybersecurity experts. 

Using a wiper, dropper and module, the masterminds behind Shamoon 2 had the ability to communicate with and control the malware remotely. Experts from Palo Alto Networks said Shamoon 2 “has several TTP overlaps with the original Shamoon campaign, especially from a targeting and timing perspective. Also, Disttrack malware used in the recent attacks is very similar to the variant used in the 2012 attacks, which uses the exact same RawDisk device driver as well (down to the same, temporary license key).” This information confirmed that it was likely the same group that initiated the first attack working against Saudi Arabian organizations again. 

Palo Alto networks also said, “The main purpose of the Disttrack malware is to overwrite files and storage partitions in an attempt to destroy data and render the system unusable. To maximize its destruction, the Disttrack tool attempts to spread to other systems on the network using stolen administrator credentials, which suggests that the threat actors had previous access to the network or carried out successful phishing attacks prior to the attack using Disttrack.”

Further investigation determined that the Shamoon hackers were probably working with the Iranian government to carry out the attack in 2012, as well as future attacks in 2016, 2017 and 2018, all targeting Saudi Arabian infrastructure. 

What’s next for Saudi Arabian organizations?

Given the repeated attacks faced by various energy companies, the Saudi response has widely been to stop all operations and services related to an affected network, despite the level of disruption this causes. At least 22 institutions experienced disruptions at the hands of Shamoon 2, or malware linked to Shamoon 2, which led firms to resort to protecting themselves by implementing a complete shutdown of their networks. 

The most worrisome aspect of the Shamoon 2 incident is that experts expect more attacks like this to happen. Shamoon has continued to evolve with more attacks on government agencies and private companies since 2016 using the same data-wiping malware. While it is a positive that we have learned more about Shamoon’s capabilities, there is not a cut-and-dried answer to whether Shamoon will return or how it will be prevented with absolute certainty. 




Keep your finger on the pulse of top industry news