Saudi Arabia is warning businesses and organizations to be on alert for a highly malicious kind of malware. The computer virus (called Shamoon, after the hacking group that first used it), attacks computers by wiping their hard disks. The Saudi Arabian telecoms authority raised the alarm on Monday. Palo Alto Inc. and Symantec say that they have uncovered evidence of an advanced form of the Shamoon virus that incapacitated thousands of computers back in 2012.
Shamoon 2 is highly similar to the virus that hackers used in 2012 to attack the systems of the oil giant, Saudi Aramco. Terrifyingly, however, it is believed that the latest version is even more advanced. The virus has the ability to copy itself across machines on a network, deploying itself in 32bit or 64bit depending on the machine.
Once there, the malware waits until a specified time to wipe the hard drives in unison. That attack time can be altered by the attackers on a whim by using CnC servers. Five years ago, the virus successfully wiped the master boot record (MBR) of a whopping 35,000 computers, leaving the machines incapable of starting up.
This is not the first time that the two forms of the Shamoon malware known as W32.Disttrack W32.Disttrack.B have made a resurgence. Last year, the devastating code resurfaced in a number of attacks targeted at the Saudi General Authority of Civil Aviation (GACA). They were also used to attack the energy, manufacturing, transportation, investment, and education sectors within the nation.
On those occasions, Symantec believed that a group called Greenbug was carrying out the attacks. The cybersecurity firm made the following comment following the recent reappearance of the dreaded virus:
“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”
Palo Alto Inc. has also released an analysis of the recent attacks, which once again focus on Saudi Arabia’s government agencies and organizations:
“Last week, Unit 42 came across new Disttrack samples that appear to have been used in an updated attack campaign. The attack targeted at least one organization in Saudi Arabia, which aligns with the targeting of the initial Shamoon attacks. It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45.
In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work.”
The destructive Disttrack payload is actually only the final code in the attack vector. It makes its way onto victims’ machines by means of previously stolen credentials. It is believed that the recent Shamoon hackers may have gotten those credentials from the Greenbug cyber espionage group responsible for last year’s string of attacks. In reality, however, the resurgence of the Disttrack payload is shrouded in mystery. Nobody is really sure how the credentials necessary to get it onto systems on this occasion were obtained.
What is known, is that Greenbug used a custom remote access Trojan (RAT) known as Trojan.Ismdoor to steal information. In addition, the cybercriminals used advanced hacking tools to steal sensitive credentials from the various compromised organizations. For now, it is unknown whether a similar attack vector took place to gain the recently used credentials, or whether there is a link between last year’s Greenbug attacks and the new ones.
There can be no denial, however, that the recent attacks have certain similar characteristics to those that occurred back in 2012. During the original Shamoon hacks, images of a burning US flag were used to overwrite hard drives. In the recent penetrations, the image of Alan Kurdi (a three-year-old Syrian refugee whose drowned body washed ashore in 2015) is said to have been used.
Adam Meyers, vice president of CrowdStrike, believes that the original 2012 attacks were perpetrated by state-sponsored hackers in Iran. It is his belief that the same is true on this occasion and that “it’s likely they will continue.” It is not clear how he knows this, though it certainly doesn’t seem impossible.
For now, it is unclear just how severe the recent spate of attacks has been. The state-controlled TV channel, Al Ekhbariya, announced on Monday that various Saudi organizations had been hit. Later on, Sadara Chemical Co – which is jointly owned by Saudi Aramco and the US firm Dow Chemica – admitted via Twitter that it had suffered some network disruptions. That announcement was closely followed by announcements from other Jubail-based petrochemical companies. So far though, no mention of the kinds of numbers that the Disttrack payload may have harmed has been released.
More Evidence Needed
Jon DiMaggio, senior threat intelligence analyst at Symantec, says that they are carefully analyzing all the data from past and current attacks, but he admits that so far they don’t have the necessary evidence to say the attacks were all perpetrated by a single group of hackers:
“It is possible that Greenbug played a role in some of the previously discussed campaigns against the middle east. In light of our recent findings we are reviewing previous attacks [but] have not yet identified enough of a ‘tie’ to comfortably state that the activity is [all] from one attacker. As we obtain new information and evidence we will assess this and previous activity with more certainty.”
One can’t help wondering, however, if CrowdStrike’s Adam Meyers is correct: will we be hearing about more large quantities of wiped Saudi computers in the near future? Only time will tell.