Shamoon virus in new Saudi attack
Raids take down cyber-crime network
RIYADH, Dec 1, (Agencies): A version of Shamoon, the destructive computer virus that four years ago crippled tens of thousands of computers at Middle Eastern energy companies, was used two weeks ago to attack computers in Saudi Arabia, according to US security firms.
Crowd Strike, Palo Alto Networks Inc and Symantec Corp warned of the new attacks on Wednesday. They did not name any victims of the new version of Shamoon, which cripples computers by wiping their master boot records that they use to start up. They also did not say how much damage had been caused or identify the hackers.
Saudi Arabia confirmed on Thursday that hackers had launched a virus attack on computers in government bodies and installations including the kingdom’s transport sector in mid-November, heightening concern about security in the world’s largest oil exporter.
The attack originated outside the country and was one of “several ongoing cyberattacks targeting government authorities”, the National Cyber Security Center, an arm of the Ministry of Interior, told state news agency SPA.
The statement did not give further details of the identity of the attacker or the damage that had been done, beyond saying the virus aimed to disrupt servers and plant malicious software in computer systems.
The reappearance of Shamoon is significant as there have only been a handful of other high-profile attacks involving disk-wiping malware, including ones in 2014 on Sheldon Adelson’s Las Vegas Sands Corp and Sony
Corp’s Hollywood studio. Governments and businesses pay close attention to such cases because it can be time-consuming and extremely expensive to restore infected systems.
The original Shamoon hackers left images of a burning US flag on machines at Saudi Aramco and Rasgas Co Ltd in 2012. Researchers said the Shamoon 2 hackers also left a calling card: a disturbing image of the body of three-year-old Syrian refugee Alan Kurdi, who drowned in the Mediterranean last year.
The 2012 Shamoon attacks against Saudi Aramco — the world’s biggest oil company — were likely conducted by hackers working on behalf of the Iranian government, said Crowdstrike Chief Technology Office Dmitri Alperovitch. It is too early to say whether the same group
was behind Shamoon 2, he said.
Tehran has been investing heavily in its cyber capabilities since 2010, when its nuclear programme was hit by the Stuxnet computer virus, widely believed to have been launched by the United States and Israel
The motive of the recent attacks was also not immediately clear.
“Why Shamoon has suddenly returned again after four years is unknown,” the Symantec Security Response team said on its blog. “However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice.”
The malware triggered the disk-wiping to begin at 8:45 pm on Nov 17, according to the security firms.
The Saudi business week ends on Thursday, so it appears to have been timed to begin after staff left for the weekend to reduce the chance of discovery and allow maximum damage.
“The malware had potentially the entire weekend to spread,” Palo Alto
researcher Robert Falcone said in a blog post.
Saudi Arabia’s economy is heavily dependent on oil, which provides most of the government’s income.
In other news, in one of the biggest takedowns to date, police across the globe have smashed a massive criminal network providing online services including malware attacks that infected half a million computers worldwide, Europol said Thursday.
Known as “Avalanche”, the criminal network “was used as a delivery platform to launch and manage mass global malware attacks and money mule recruiting campaigns,” Europe’s policing agency said in a statement.
The network would be contacted by other criminal groups to send emails to specific victims containing malware to steal bank details and passwords as well as to conduct socalled distributed denial of service (Ddos) spam attacks.