Saudi Arabia again hit with disk-wiping malware Shamoon 2

Saudi Arabia issued an alert on Monday after Shamoon 2 reportedly hit 15 government agencies and organizations

Saudi Arabia again hit with disk-wiping malware Shamoon 2
Michael Kan/IDGNS

The disk-wiping Shamoon malware, which was used in attacks that destroyed data on 35,000 computers at Saudi Aramco in 2012, is back; the Shamoon variant prompted Saudi Arabia to issue a warning on Monday.

An alert from the telecoms authority, seen by Reuters, warned all organizations to be on the lookout for the variant Shamoon 2. CrowdStrike VP Adam Meyers told Reuters, “The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks. It's likely they will continue.”

On Monday, Saudi state-run Al Ekhbariya TV reported that 15 government agencies and organizations have been hit with Shamoon 2 so far. Shamoon wipes data and takes control of the computer’s boot record, which prevents the PC from being turned back on.

One of the latest victims is potentially Sadara, which is a joint venture between Michigan-based Dow Chemical and Saudi Arabian Oil. Sadara reportedly had to shut down its computer network on Monday and it remained down today. A company spokesman told the Associated Press that the downtime had not affected operations at the facility.

The company said something similar in a tweet:

Sadara tweets about Shamoon 2 attack on Jan 23 Sadara

According to another Saudi TV report, Saudi Technical and Vocation Training Corp was also affected. Yet a spokesman denied its network was damaged when confronted by AP.

Reuters added, “Other companies in Jubail, the hub of the Saudi petrochemicals industry, also experienced network disruptions, according to sources who were not authorized to publicly discuss the matter. Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.”

After the initial Shamoon attacks in 2012, a variant of the original malware was used in attacks against Saudi Arabia in November 2016. Symantec suggested, “Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”

Shamoon was blamed for destroying computers at six or more Saudi organizations in November, including the Saudi aviation regulator. The malware overwrote files with an image of a 3-year-old Syrian refugee boy lying dead on a beach.

When discussing a second wave of Shamoon 2 attacks that occurred in November, Palo Alto Networks recently explained, “Much like the initial attacks, the lack of an operational C2 server suggests that the threat actor’s sole intention for carrying out this Shamoon 2 attack was to destroy data and systems. Without an operational C2, the actor would be unable to issue a command to set a custom ‘kill time’ when the Disttrack payload would begin wiping systems, which would force the payload to rely on its hardcoded ‘kill time.’”

It is too early to point fingers at possible nation-state attackers this go around, but back in 2012, Iran denied being responsible for the Shamoon attacks against Saudi Arabian interests even though some experts hinted that it might be true. U.S. Defense Secretary Leon Panetta said in 2012, “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.” Iran has not officially commented on the latest Shamoon 2 outbreak.

Hostilities reportedly persist between the two countries. In 2016, a series of fires at Iranian petrochemical plants raised suspicions that cyberattacks may have played a role. The head of the Iranian military cybersecurity unit at first blew off reports that the numerous fires may have been a result of hacking. Later, however, he changed his tune, saying, “The viruses had contaminated petrochemical complexes. Irregular commands by a virus may cause danger.”

As for the latest attacks, Saudi Ministry of labor spokesman Khaled Aba Al-Khail said the ministry and the Human Resources Development Fund’s computer systems had been affected by the newest Shamoon 2 attacks. The agencies are coordinating with their National Center for Cybersecurity at the Ministry of Interior to take care of it.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!