The notorious Shamoon malware has resurfaced, following its troubling history of wreaking havoc on Saudi Arabia’s state oil enterprise, Saudi Aramco, in 2012. This latest incarnation has notably targeted organizations in the energy sector, predominantly in the Middle East.
Recently, the Italian drilling giant Saipem reported a cyber attack that led to the destruction of sensitive files on about 10 percent of its servers. These affected systems spanned regions including Saudi Arabia, the United Arab Emirates, Kuwait, India, and Scotland. Saipem confirmed the intrusion was perpetrated with a variant of Shamoon, a malware known for its capacity to wipe hard drives. This malware previously devastated more than 30,000 systems during its earlier attacks.
According to Saipem’s announcement, the latest cyber assault was attributed to a variant of Shamoon, dubbed “Disttrack.” This version effectively disables systems by overwriting crucial files such as the master boot record (MBR), rendering computers inoperable. The breach has reportedly crippled over 300 servers and impacted roughly 100 personal computers within Saipem’s network of about 4,000 machines. Fortunately, the company noted that it had enacted adequate backup measures prior to the attack, mitigating potential data loss.
The incident further complicates a tense cybersecurity landscape, as the 2012 attack against Saudi Aramco was allegedly linked to Iranian cyber actors. While the identity of the perpetrators behind the recent attack on Saipem remains uncertain, it raises alarms about ongoing threats to critical infrastructure, particularly within the energy sector.
Chronicle, a Google cybersecurity subsidiary, has unveiled a file containing a sample of Shamoon that was uploaded to the VirusTotal file analysis service on the same day Saipem endured the breach. This file was traced back to an IP address in Italy, where Saipem’s headquarters is located, raising further questions about the attack’s origin.
In utilizing the MITRE ATT&CK framework, this attack illustrates key adversary tactics that may have been employed, such as initial access through compromised credentials or vulnerabilities, along with the potential for lateral movement using the Windows Server Message Block (SMB) protocol, similar to previous destructive malware like WannaCry and NotPetya. Additionally, it highlights the importance of maintaining resilience against such tactics by ensuring robust security measures and effective data backup strategies.
Shamoon has a prolonged history, initially appearing in 2012, then re-emerging in more sophisticated forms in subsequent years, targeting various sectors in Saudi Arabia. While the precise origins of Shamoon remain speculative, it is believed that Iranian hacking groups such as OilRig, Rocket Kitten, and Greenbug have been involved in past operations attributed to the malware, a claim strongly denied by Iran.
As cyber threats continue to evolve, organizations in the energy sector and beyond must stay vigilant against the resurgence of malware like Shamoon, ensuring their cybersecurity frameworks are robust enough to counteract potential attacks.
