A new variant of malware based on a powerful computer virus named Shamoon — used to disrupt computers operated by Saudi Aramco and other energy companies in 2012 — has appeared in the wild, researchers say. Multiple private and pubic organizations in Saudi Arabia recently became the target of this mutated virus, according to Bloomberg News.
The malware is “erasing data and wreaking havoc” on important computer banks throughout the Middle Eastern country. This newly discovered hacking campaign is being described by security researchers as a “carefully planned operation” and likely the work of a well-resourced and technically gifted adversary.
“In the 2012 attacks, infected computers had their master boot records wiped and replaced with an image of a burning U.S. flag. The latest attacks instead used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean last year,” Symantec’s security response team wrote in a blog post, Wednesday.
“Although attacks involving destructive malware such as Shamoon are relatively rare, they can be highly disruptive for the targeted organization, potentially knocking mission-critical computers offline,” Symantec notes. “Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”
Unnamed Saudi government officials reportedly told Bloomberg that initial digital forensic evidence suggests the two-week-long assault emanated from computers based in Iran. A full investigation by Saudi authorities is underway.
Research provided in threat intelligence reports from McAfee, Symantec, Palo Alto Networks and FireEye shows that Shamoon 2.0 quickly spread across a local Suadi computer network by copying itself onto other computers and then dropping additional payloads onto shared, infected systems.
The actual wiper malware uses a commercial software driver from EldoS named RawDisk, which gives the controller direct access to overwrite data on disk drives. The same popular driver was reportedly used in cyberattacks perpetrated by North Korean hackers against Sony Pictures in 2014.
In recent years, the deployment of complex, offensive cyber-weaponry — some of which is purchased and leveraged by intelligence, law enforcement and defense organizations — has become more apparent. A secret cyberattack designed to cripple the development of Iran’s nuclear program, for example, first began to leak into the public view in 2010 as researchers first discovered the “stuxnet” virus on some Iranian industrial control systems. A subsequent investigation by The New York Times’ David Sanger pinned the attack to a covert operation authored by the Obama administration.