Ultra Intelligence & Communications

Schlemiel! Schlimazel! Shamoon! – They’re gonna keep doing it.

January 29th, 2019 / By

Shamoon is back…and once again it’s targeting energy sector organizations primarily operating in the Middle East. This highly destructive computer virus was first unleashed in 2012, its main target primarily the state-owned oil company Saudi Aramco. Unlike ransomware, which holds data hostage for a fee, “Shamoon” (AKA “Disttrack”) was designed for total destruction, destroying computer hard drives by wiping the master boot record (MBR) and data irretrievably. Shamoon wiped out three-quarters of the state-owned energy giant’s computers (some 30,000 workstations), an incident described at the time as the largest commercial cyberattack in history.

Shamoon wreaked havoc on energy sector targets, primarily those operating in the Mideast and with Saudi ties, until 2017, when it appeared to go dormant. Then suddenly it reappeared in December 2018, targeting Italian oil and gas contractor Saipem, primarily its Mideast networks. The new version of Shamoon resembles the older version but with some modifications, most importantly the addition of wiping malware Trojan.Filerase. In the earlier version of Shamoon, affected computers are made unusable but files on the hard disk might be forensically recoverable. In this version of Shamoon, if the files are first wiped by the Filerase malware, recovery becomes impossible.

Some analysts believe that, as in the 2012-2016 attacks, the author of the virus intended to send a message to the Saudi government for supporting controversial American foreign policy in the Middle East. Anti-U.S. imagery was found in the code; in the 2012 attacks, infected computers had their master boot records wiped and replaced with an image of a burning US flag, and the latest attacks used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year, as well as quotes from the Quran. Most security analysts agree that in both cases, the attacks originated with Iranian-backed hackers, and the timing of the attacks in each case would support that theory. In 2012, the Obama administration had tightened down on economic sanctions on Iran, but lifted many of them a few years later with the agreement from Tehran to halt its nuclear development. However, in 2018 the Trump administration pulled out of the Iranian Nuclear Agreement and re-instated most of the US economic sanctions against Iran and its trading partners.

The methods used by these state-sponsored hackers to launch Shamoon are all too common, yet many organizations still fail in establishing and managing basic security strategies that can avoid a total shut-down. The malware was configured with passwords that appear to have been stolen from the targeted organizations and were likely used to allow the threat to spread across a targeted organization’s network. How the attackers obtained the stolen credentials is unknown, but most analysts agree that passwords are by far the weakest link in cybersecurity today. Too often, system administrators don’t bother to change the default password when software is installed or use passwords which are easily discerned. In addition to creating and using more complex passwords, system administrators should be using two-factor authentication, (2FA) to add an extra step to the basic log-in procedure.

Researchers found that the Shamoon attackers usually gained access to the networks through the use of a spear phishing email, sent to employees at the target organization. The email contained a Microsoft Office document as an attachment. Opening the attachment from the email invokes PowerShell and enables command line access to the compromised machine. Attackers can now communicate with the compromised machine and remotely execute commands on it. The attackers use their access to deploy additional tools and malware to other endpoints or escalate privileges in the network. Educating personnel on the “If in doubt, throw it out” rule on email would go a long way to avoiding this way of entry, in addition to implementing firewalls (network and desktop) and desktop anti-virus programs. If an attacker gains network access through a phishing campaign, application whitelisting can help protect ICS endpoints and prevent unwanted commands from getting through.

Once granted entry, the hackers have used standard Windows processes to exploit or leverage registry and other file types to manipulate credentials, alter or create scheduled tasks, crack passwords and manipulate remote access services to connect to intended targets. In the Shamoon attacks thus far, thousands of computers have been affected, across multiple government and civil organizations in Saudi Arabia and elsewhere in the Gulf states. How long until the targets become US critical systems, such as power plants? The Shamoon attacks seem to be internal reconnaissance and espionage, perhaps with a plan to disrupt or disable critical systems, should such an advantage prove opportune in the future.

As reported in National Review: “We now have evidence they’re sitting on the machines, connected to industrial control infrastructure, that allow them to effectively turn the power off or [a]ffect sabotage,” said Eric Chien, a security technology director at Symantec, a digital security firm. “From what we can see, they were there. They have the ability to shut the power off. All that’s missing is some political motivation.”

Regardless of why Shamoon has reappeared, the fact that these groups are hacking not for money but for geopolitical reasons means that organizations need to remain vigilant and ensure a robust security strategy is in place and updated on a regular basis.