New Shamoon virus attack on Middle East computers
MULTIPLE INCIDENTS: Malware triggers disk-wiping on thousands of machines
AVERSION of Shamoon, the destructive computer virus that crippled tens of thousands of computers at Middle Eastern energy companies four years ago, was used in to attack computers in Saudi Arabia and elsewhere in the region last month, according to United States security firms.
CrowdStrike, Palo Alto Networks Inc and Symantec Corp warned of the new attacks on Wednesday. They did not name any victims of the new version of Shamoon, which cripples computers by wiping their master boot records that they use to start up. They also did not say how much damage had been caused or identify the hackers.
FireEye said in a blogpost its Mandiant unit “has responded to multiple incidents at other organisations in the region”.
The reappearance of Shamoon is significant as there have only been a handful of other high-profile attacks involving disk-wiping malware, including ones in 2014 on Sheldon Adelson’s Las Vegas Sands Corp and Sony Corp’s Hollywood studio.
Governments and businesses pay close attention to such cases because it can be time-consuming and extremely expensive to restore infected systems.
The original Shamoon hackers left images of a burning US flag on machines at Saudi Aramco and RasGas Co Ltd in 2012. Researchers said the Shamoon 2 hackers also left a calling card — a disturbing image of the body of 3-year-old Syrian refugee Alan Kurdi, who drowned in the Mediterranean last year.
The FireEye spokesman said the malware contained embedded credentials, which suggested the attackers might have previously conducted intrusions to gather the necessary logins and passwords before later embedding them into the malware for the destructive attack.
The 2012 Shamoon attacks were likely conducted by hackers working on behalf of the Iranian government, said CrowdStrike chief technology office Dmitri Alperovitch. It was too early to say whether the same group was behind Shamoon 2, he said.
The motive of the recent attacks was also not immediately clear.
The malware triggered the diskwiping to begin at 8.45pm local time on November 17, according to the security firms.
The Saudi business week ends on Thursday, so it appears to have been timed to begin after staff left for the weekend to reduce the chance of discovery and allow maximum damage.