The complex, destructive cyberattacks launched against Saudi Arabian businesses and government organizations in recent months are likely coming from at least two separate groups with aligned interests, according to a group of cybersecurity intelligence and research professionals.
Based on newly released forensic evidence unearthed by Kaspersky Lab’s Global Research and Analysis Team, data destroying malware known respectively as Shamoon 2.0 and StoneDrill has been located in computers stationed in Saudi Arabia. Beginning in Nov. 2016, researchers say there’s been three different “waves” of Shamoon 2.0 hitting computers in Saudi Arabia — executed twice in November and most recently on Jan. 23.
According to the Saudi National Cyber Security Center, Shamoon 2.0 has so far infected 11 organizations. Multiple reports attribute Shamoon 2.0 to Iranian government hackers, though Kaspersky Lab does not provide attribution.
“The Iranian attacks are probably a consequence of their incredibly strained relations,” said John Hultquist, iSight’s director of espionage analysis. “Tensions rose from a stampede which led to the death of several Iranians and the execution of a Shiite cleric. The Saudi diplomatic mission in Iran was also attacked. The two nations are indirectly engaged in conflict with each other in Syria and Yemen.”
Offensive cyber operations “allows the Iranians to open another front while keeping the conflict at arm’s length. Of course, the attacks could also be meant to signal others in a manner similar to the use of proxy terrorists,” Hultquist said.
StoneDrill, another disk wiping variant only recently discovered by Kaspersky, was first catalogued via a Saudi-specific, open-source antivirus scanning tool. Little is known about who is behind the malware, although the Russian security firm already found one case in which the computer virus had been used against a European target. There is no evidence, according to Kaspersky Lab, to suggest Shamoon was ever deployed against any European-based organization.
Kaspersky Lab’s researchers declined to provide further details regarding who this European target is, citing customer confidentiality agreements.
Though Shamoon 2.0 and StoneDrill share some similarities, researchers have found several key differences. In one case, the evidence points to a hacking group dubbed Charming Kitten, or NewsBeef, which was linked to Iranian intelligence services in 2014.
StoneDrill appears to improve upon certain features evident in Shamoon 1.0 — best known for its impact on oil company Saudi Aramco in 2012 and the more recent, Shamoon 2.0 variant — by adding evasion detection capabilities and injecting the wiper directly into the victim’s web browser.
“While we don’t provide attribution, the ability to recompile Shamoon malware into different variants, customize, disable and add new functionalities, are all capabilities of someone/some group who has access to the Shamoon malware source code,” Kaspersky Lab GReAT Senior Researcher Mohamad Amin Hasbini told CyberScoop.
Shamoon’s source code has not yet leaked online, Hasbini described, meaning that it is likely only available to a limited number of individuals.
Disk wiping malware is highly unusual, explained GReAT Senior Security Researcher Juan Andres Guerrero-Saade, because the destructive nature of it appears to go against the traditional motives of an espionage campaign in which prolonged, hidden access to a system is typically desired. These types of attacks tend to damage the victim from a both economic and operationally standpoint because of how the malware devastates a network, leaving some hardware unusable.
StoneDrill, unlike Shamoon 2.0 or its predecessor for that matter, relies on external scripts to execute an attack and also carries indicators that the author wrote in Persian rather than in a Arabic-Yemini dialect.
“StoneDrill has several ‘style’ similarities to Shamoon, with multiple interesting factors and techniques to allow for the better evasion of detection,” a Kaspersky Lab’s blog post published Monday reads, “NewsBeef and StoneDrill appear to be continuously focused on targeting Saudi interests, while Shamoon is a flashy, come-and-go high impact tool.”
Components of StoneDrill show similarities with NewsBeef’s toolset in its shared common Winmain code, backdoor commands and functionality, and string decryption routines. Additionally, each groups’ command and control centers are similarly named. In the past, Newsbeef was linked to expansive social engineering schemes — employing social media and malware-laden websites — to trick victims into clicking malicious links leading to downloadable computer viruses with spying capabilities.