• United States



Contributing writer

Researchers link Middle East attacks to new victim in Europe

Mar 06, 20175 mins
Advanced Persistent ThreatsCybercrimeSecurity

Kaspersky Labs announced new research this morning that shows some links between the massive Shamoon attack that took down 35,000 computers in Saudia Arabia to a new attack against a target in Europe

Kaspersky Labs announced new research this morning that shows some links between the massive Shamoon attack that took down 35,000 computers in Saudi Arabia to a new attack against a target in Europe.

The Shamoon attack, which occurred in 2012, was followed by a series of related against against Gulf States earlier this year. The attacks were widely attributed to Iran.

The new malware, called StoneDrill, is, like Shamoon, a wiper — it destroys all the data on a computer.

And there are also other elements in common, said Juan Andres Guerrero-Saade, senior security researcher at Moscow-based Kaspersky Lab ZAO.

“It shares enough similarities that allows us to discover it by the same means we use to find Shamoon,” he said.

In addition, there are Persian-language indicators inside the malware.

However, that does not mean that Iran was actually behind the new attack, he said.

“We’d rather not go so far as to make a claim on attribution,” he said. “Either Shamoon and StoneDrill are the same group, that’s one possibility, or they’re totally unrelated, which is also a possibly, Or the third possibility is that they’re separate groups with aligned interests. The last one is the one we would espouse at this time.”

He pointed out that its easy for attackers to add clues to their malware that point researchers in a particular direction.

“These attributed artifacts are very easy to manipulate and are often manipulated by attackers,” he said.

He also declined to say which country or industry the new European victim was in, or provide any other information it, other than to say that no computers were hurt at the organization.

“It was protected by our product, so there was no damage,” he said. “We have yet to hear of a case which has done damage in the wild.”

StoneDrill is more advanced than Shamoon, he said, with better evasion abilities. In addition, the wiping mechanism takes advantage of a user’s preferred browser. 

“The idea is that in this way, the attackers can bypass some security measures by doing their wiping operations directly from a trusted process,” he said.

Wipers are a relatively rare malware type, Guerroro-Sade added.

Criminals prefer malware that, say, requires the victim to pay a ransom, or steals credit cards and other valuable information. And state-sponsored actors prefer malware that remains undetected, so that they can spy on their targets for as long as possible.

Meanwhile, the original Shamoon malware from 2012 has evolved, as well. for example, Shamoon 2.0 now supports a ransomware function so that the attackers can switch from wipers to ransomware at will.

Late last month, Saudi Arabian officials told a regional security conference that Iranian hackers were going after a broader array of targets in both Saudi Arabia and other Gulf countries, including financial organizations and government agencies.

Other researchers studying Shamoon confirmed that other countries in the Middle East have been hit, but that they haven’t seen any evidence yet of attacks in Europe.

“The attackers behind the Shamoon and Shamoon 2 malware variants are currently targeting Middle Eastern petrochemical companies and other networks within Kingdom of Saudi Arabia and Gulf Cooperation Council states,” said Steve Stone, global lead of intelligence services at IBM’s X-Force IRIS.

But going after other targets would be straight forward, he said.

“Little effort would be required to do this beyond establishing targets,” he said. Most likely target would be commercial organizations that work within the oil and gas industry, or that work closely with Saudi Arabia and other Gulf countries.

He recommends that companies keep an eye out for the dropper malware that installs Shamoon, which relies on macros.

“We’d recommend either disabling macros or filtering for macro enabled documents coming in from external sources,” he said.

If Iran does begin to launch cyberattacks against targets outside the Middle East, it would be a major game changer, said Neal Dennis, cyber threat intelligence analyst at Burlington, Mass.-based Arbor Networks, Inc.

“When they go against their local perceived adversaries, there wasn’t a lot of push back outside of just Saudi Arabia, because nobody cared,” he said. “You got some publicity, insights, researchers doings, but overall the international community didn’t get into too much of an uproar.”

If that changes, however, the European Union will have to take action, he said — and the U.S., might, as well.

According to Dennis, it’s pretty definite that Iran was behind the original Shamoon attacks.

“Most researchers are pretty positive that this is state-sponsored stuff in Iran,” he said. “And I am more than happy to jump on board.”

So far, however, he hasn’t seen any evidence that Iran has been looking at targets in Europe — and there isn’t much reason for it to do so.

“Trump has stated that he’d like to take a more hard-line stance against Iran, but that really isn’t big news,” he said. Europe has been quiet as well. “Iran has had it good for the last eight to nine months. To provoke that bear doesn’t seem that smart. It wouldn’t make much sense to me in the current political landscape.”

Add your comments to our Facebook page.