Two separate versions of the Shamoon 2 malware have identified. The first variant was configured in a way that automatically wipes the connected drives of the infected hosts on a specific date – November 17 2016.
The second version has been configured to wipe the infected machines at 1:30 AM (Saudi Arabia time) on another date – November 29 2016.
The delivered payload in the second wave was similar to the first one however several differences were identified.
Like the in the first Shamoon attacks the virus spreads across the local network using legitimate domain account credentials.
It is possible that the criminals have harvested the information from previous attacks or other related breaches.
The Shamoon 2 malware has the ability to access credentials for virtualization products from Huawei and virtual desktop infrastructure solutions such as FusionCloud.
It is very likely that the hackers have targeted these services as they have been referenced in various official documentation releases issued by the company.
They are used to provide a layer of protection against malware such as Shamoon by loading snapshots of the wiped systems.
The FusionCloud systems run in a Gnu/Linux environment which makes it harder for the Windows-only Diskttrack malware to penetrate. This is why this newer version of the malware has been updated.
Is Saudi Arabia – the government has wasted no time in issuing a warning alert to a number of organizations.
Adam Meyers, CrowdStrike VP, stated that the hackers were probably working on behalf of “Iranian government” previously as well as in the recent attacks. Meyers also said that it was quite possible that they “will continue.”
It is worth noting that Shamoon is a malware that wipes data from disks quite efficiently and gains total control of the computer’s boot record due to which the PC cannot be switched on.
In 2012, Shamoon virus was launched against the Saudi Aramco, a national petroleum and natural gas company based in Dhahran and it managed to destroy data from 35,000 computers.
Then in November 2016, a variant of Shamoon malware was used to attack more than six organizations in Saudi Arabia including the Saudi aviation regulator and all the computers were destroyed.
The files were overwritten with a picture of a 3-year old Syrian refugee boy’s dead body, which was found lying on the beach.
According to a report from the Al Ekhbariya TV, this time around, 15 government agencies and organizations have been targeted with Shamoon 2.
Sadara, the joint venture of Saudi Arabian Oil and Dow Chemical from Michigan is among the victims of Shamoon 2.
Sadara has reportedly, taken down the entire computer network on Monday and its service is still down. However, this hasn’t affected the operations of Sadara at all, said a spokesperson.
Saudi TV reported that the Saudi Technical and Vocation Training Corporation is also targeted, but the company’s spokesperson denied this claim.
Reuters stated that a majority of the affected companies are located in Jubail, the Saudi petrochemical industry hub.
The companies have experienced “network disruptions” and are trying to shut down their systems to protect their data from Shamoon 2 virus.
However, Reuters did not specifically name any of the firms.
While discussing Shamoon malware, the cyber security company Symantec said that “Why Shamoon has suddenly returned again after four years is unknown.
“However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”
Currently, it would be too early to pinpoint possible perpetrators of the attack, but the possibility cannot be ruled out that nation-state attackers are involved.
In 2012, Iranian hackers were blamed for the Shamoon attacks. However, the Saudi government hasn’t named or accused anyone as of now. Considering the hostile relationship that Saudi Arabia and Iran share, we can speculate that Iran might be involved this time too.
Khaled Aba Al-Khail, the Saudi Ministry of Labor spokesperson, stated that the Ministry of Labor and Human Resources Development Fund’s computers have also been affected by Shamoon 2.
The security agencies are currently coordinating with the Ministry of Interior’s National Center for Cybersecurity to analyze the situation.
According to the researchers the virus focuses mainly on sabotage by deleting everything that it can access.
It is not known who is responsible for the first or the second version of the threat.
However as it bears sophisticated modules configuration some experts suggest that it may be sponsored by a state.