Shamoon on:
[Wikipedia]
[Google]
[Amazon]
Shamoon ( fa, شمعون), also known as W32.DistTrack, is a modular
Kubecka described in a Black Hat USA talk that Saudi Aramco placed the majority of their security budget on the ICS control network, leaving the business network at risk for a major incident.
"Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted. Saudi Aramco employees returned to work August 25, 2012, following the Eid holidays, resuming normal business. The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated."
On August 29, 2012 the same attackers behind Shamoon posted another pastie on PasteBin.com, taunting Saudi Aramco with proof they still retained access to the company network. The post contained the username and password on security and network equipment and the new password for Aramco CEO Khalid Al-Falih. The attackers also referenced a portion of the Shamoon malware as further proof in the pastie:
According to Kubecka, in order to restore operations, Saudi Aramco used its large private fleet of aircraft and available funds to purchase much of the world's hard drives, driving the price up. New hard drives were required as quickly as possible so oil prices were not affected by speculation. By September 1, 2012 gasoline resources were dwindling for the public of Saudi Arabia 17 days after the August 15th attack. RasGas was also affected by a different variant, crippling them in a similar manner.
It is unclear why the attacker may have an interest in actually destroying the infected PC.
computer virus
A computer virus is a type of computer program that, when executed, replicates itself by modifying other computer programs and inserting its own code. If this replication succeeds, the affected areas are then said to be "infected" with a comput ...
that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows
Windows is a group of several proprietary graphical operating system families developed and marketed by Microsoft. Each family caters to a certain sector of the computing industry. For example, Windows NT for consumers, Windows Server for ...
. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record
A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MB ...
of the infected computer, making it unusable.
The virus was used for cyberwarfare
Cyberwarfare is the use of cyber attacks against an enemy state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, manipulation or economic ...
against national oil companies including Saudi Arabia's Saudi Aramco
Saudi Aramco ( ar, أرامكو السعودية '), officially the Saudi Arabian Oil Company (formerly Arabian-American Oil Company) or simply Aramco, is a Saudi Arabian public petroleum and natural gas company based in Dhahran. , it is one of ...
and Qatar's RasGas. A group named "Cutting Sword of Justice" claimed responsibility for an attack on 30,000 Saudi Aramco workstations, causing the company to spend more than a week restoring their services. The group later indicated that the Shamoon virus had been used in the attack. Computer systems at RasGas were also knocked offline by an unidentified computer virus, with some security experts attributing the damage to Shamoon. It was later described as the "biggest hack in history".
Symantec Symantec may refer to:
*An American consumer software company now known as Gen Digital Inc.
*A brand of enterprise security software purchased by Broadcom Inc.
Broadcom Inc. is an American designer, developer, manufacturer and global supplier ...
, Kaspersky Lab
Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company i ...
, and Seculert announced discovery of the malware on 16 August 2012. Kaspersky Lab and Seculert found similarities between Shamoon and the Flame
A flame (from Latin '' flamma'') is the visible, gaseous part of a fire. It is caused by a highly exothermic chemical reaction taking place in a thin zone. When flames are hot enough to have ionized gaseous components of sufficient density the ...
malware. Shamoon made a surprise comeback in November 2016, January 2017, and December 2018.
Design
Shamoon was designed to erase and overwrite hard drive data with a corrupted image and report the addresses of infected computers back to the computer inside the company's network. Themalware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
had a logic bomb which triggered the master boot record and data wiping payload
Payload is the object or the entity which is being carried by an aircraft or launch vehicle. Sometimes payload also refers to the carrying capacity of an aircraft or launch vehicle, usually measured in terms of weight. Depending on the nature of ...
at 11:08am local time on Wednesday, August 15. The attack occurred during the month of Ramadan in 2012. It would appear that the attack was timed to occur after most staff had gone on holiday reducing the chance of discovery before maximum damage could be caused, hampering recovery.
The virus consisted of three components, the Dropper, the Wiper and the Reporter. The Dropper, the source of the infection, creates a service with the name 'NtsSrv' that enables it to remain persistent on the infected computer. The Dropper was built in 32-bit and 64-bit versions. If the 32-bit dropper detects a 64-bit architecture
Architecture is the art and technique of designing and building, as distinguished from the skills associated with construction. It is both the process and the product of sketching, conceiving, planning, designing, and constructing buildings ...
, it drops the 64-bit version. This component drops the Wiper and the Reporter onto the infected computer and executes itself. It spreads across a local network by copying itself to network shares and on to other computers.
The Wiper component utilizes an Eldos-produced driver known as RawDisk to achieve direct user-mode
In computer science, hierarchical protection domains, often called protection rings, are mechanisms to protect data and functionality from faults (by improving fault tolerance) and malicious behavior (by providing computer security).
Comput ...
access to a hard drive without using Windows API
The Windows API, informally WinAPI, is Microsoft's core set of application programming interfaces (APIs) available in the Microsoft Windows operating systems. The name Windows API collectively refers to several different platform implementations th ...
s. It identifies the locations of all files on the infected computers and erases them. It sends information about the files destroyed to the attacker and then overwrites the erased files with corrupted data so they cannot be recovered. The component used portions of an image. In the 2012 attack it used an image of a burning U.S. flag; in the 2016 attack it used a photo of the body of Alan Kurdi
Alan Kurdi (born as Alan Shenu), initially reported as Aylan Kurdi, was a two-year-old Syrian boy (initially reported as having been three years old) of Kurdish ethnic background whose image made global headlines after he drowned on 2 September 2 ...
.
Before the attack
The malware was unique, used to target the Saudi government by causing destruction to the state-owned national oil company Saudi Aramco. The attackers posted a pastie onPastebin
A pastebin or text storage site is a type of online content-hosting service where users can store plain text (e.g. source code snippets for code review via Internet Relay Chat (IRC)). The first pastebin was the eponymous pastebin.com. Other s ...
hours prior to the wiper logic bomb occurring, citing oppression and the Al-Saud regime as a reason behind the attack. According to Chris Kubecka, a security advisor to Saudi Aramco after the attack and group leader of security for Aramco Overseas, the attack was well-staged. It was initiated by a phishing email attack that an unnamed Saudi Aramco Information Technology employee opened, giving the group entry into the company's network around mid-2012.
Kubecka described in a Black Hat USA talk that Saudi Aramco placed the majority of their security budget on the ICS control network, leaving the business network at risk for a major incident.
During the attack
On 15 August at 11:08 am local time, over 30,000 Windows based systems began to be overwritten. Symantec found some of the affected systems showed an image of an American flag while their data was being deleted and overwritten. Saudi Aramco announced the attack on their Facebook page and went offline again until a company statement was issued on 25 August 2012. The statement falsely reported normal business was resumed on 25 August 2012. However a Middle Eastern journalist leaked photographs taken on 1 September 2012 showing kilometers of petrol trucks unable to be loaded due to hacked business systems still inoperable.
"Saudi Aramco has restored all its main internal network services that were impacted on August 15, 2012, by a malicious virus that originated from external sources and affected about 30,000 workstations. The workstations have since been cleaned and restored to service. As a precaution, remote Internet access to online resources was restricted. Saudi Aramco employees returned to work August 25, 2012, following the Eid holidays, resuming normal business. The company confirmed that its primary enterprise systems of hydrocarbon exploration and production were unaffected as they operate on isolated network systems. Production plants were also fully operational as these control systems are also isolated."
On August 29, 2012 the same attackers behind Shamoon posted another pastie on PasteBin.com, taunting Saudi Aramco with proof they still retained access to the company network. The post contained the username and password on security and network equipment and the new password for Aramco CEO Khalid Al-Falih. The attackers also referenced a portion of the Shamoon malware as further proof in the pastie:
According to Kubecka, in order to restore operations, Saudi Aramco used its large private fleet of aircraft and available funds to purchase much of the world's hard drives, driving the price up. New hard drives were required as quickly as possible so oil prices were not affected by speculation. By September 1, 2012 gasoline resources were dwindling for the public of Saudi Arabia 17 days after the August 15th attack. RasGas was also affected by a different variant, crippling them in a similar manner.
It is unclear why the attacker may have an interest in actually destroying the infected PC. Kaspersky Lab
Kaspersky Lab (; Russian: Лаборатория Касперского, tr. ''Laboratoriya Kasperskogo'') is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company i ...
s hinted that the 900 KB malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, depr ...
could be related to Wiper, that was used in a cyber attack on Iran in April. After a 2-day analysis, the company erroneously concluded that the malware is more likely to come from " scriptkiddies" who were inspired by Wiper. Later, in a blog post, Eugene Kaspersky
Yevgeny Valentinovich Kaspersky (Russian: Евгений Валентинович Касперский; born 4 October 1965) is a Russian cybersecurity expert and the CEO of Kaspersky Lab, an IT security company with 4,000 employees. He co-found ...
clarified the use of Shamoon categorizing as cyberwarfare.
See also
*Iran–Saudi Arabia relations
Iran and Saudi Arabia have had no diplomatic relations following the attack on the Saudi embassy in Tehran in January 2016 after Saudi Arabia executed Sheikh Nimr al-Nimr, a Shia cleric. Bilateral relations between the countries have been str ...
Notes
References
{{Hacking in the 2010s Computer access control Cyberattacks on energy sector Cyberwarfare in Iran Cyberwarfare Economic history of Saudi Arabia Espionage scandals and incidents Exploit-based worms History of Saudi Arabia Saudi Aramco Spyware 2012 in computing Hacking in the 2010s