Researchers are trying to make sense of an apparent reprisal of Shamoon, a piece of malware known for high profile attacks targeting oil and gas computer systems.
Saipem, an Italian oil services company, confirmed Wednesday it was infected with a variant of the notorious virus, resulting in an outage.
The attack shut down more than 300 of the company’s servers and 100 computers, Reuters reported, and Saipem says it’s working to restore operations affected by the attack from backups. Shamoon is best known for an attack in 2012 on Saudi Arabia-owned oil company Saudi Aramco, which experts have described as one of the most destructive cyberattacks in history. Saudi Aramco is Saipem’s largest customer, according to Reuters.
Researchers have blamed Iranian hackers for the 2012 attack on Aramco.
“The attack led to the cancellation of data and infrastructures, typical effects of malware,” the company said in a statement. “The restoration activities, in a gradual and controlled manner, are under way through the back-up infrastructures and, when completed, will restablish the full operation of the impacted sites [sic].”
Researchers with cybersecurity company Palo Alto Networks said Thursday that they discovered a new variant of a component integral to past Shamoon attacks. The company said a version of the “Disttrack” malware appeared on the malware repository VirusTotal earlier this week and that it “shares a considerable amount of code with the Disttrack malware used in the Shamoon 2 attacks in 2016 and 2017.”
Palo Alto Networks noted the coincidental timing of the attack and the Disttrack appearance, but said it could not independently determine that the Disttrack variant was used against Saipem.
The Shamoon campaign has had other brief reprisals in past years. The malware rewrites data on the victim’s hard drives in such a way that makes it impossible for the systems to restart. The 2012 attack against Saudi Aramco, one of the largest companies in the world, reportedly shut down more than three-quarters of that firm’s computers.
Other attacks have replaced company data with images, like that of a burning American flag or Alan Kurdi, a young Syrian refugee who died in 2015. Palo Alto Networks researchers said the Saipem malware they examined is programmed to replace files with random data, not images.
“While we can’t confirm this sample was used in the Saipem attack, it is likely at least related to it,” the researchers wrote.