Analysis of the 2016-2017 Shamoon malware attacks against Saudi organizations suggests that multiple hacker groups may be collaborating on this effort on behalf of a nation-state actor, according to a new blog post and technical analysis published this week by McAfee.
"We found that the latest Shamoon campaigns... are connected to other notable campaigns, and the increase in sophistication suggests investment, collaboration and coordination beyond that of a single hacker group," McAfee explains in blog post co-authored by Raj Samani, chief scientist, and Christiaan Beek, lead scientist and principal engineer. Rather, the campaign appears more in line with "the comprehensive operation of a nation-state," the report continues.
Throughout this "Shamoon 2" campaign, attackers have used weaponized documents with embedded malicious macros to compromise network systems, before eventually employing the destructive Shamoon disk-wiping malware, also known as Disttrack. While the actors behind Shamoon originally focused on Saudi oil facilities when the malware debuted in 2002, McAfee and other researcher groups have noted that they are now targeting additional industries, including financial services and the public sector.
Although 90 percent of Shamoon 2's programming is simply reused code from those 2002 attacks, McAfee researchers recently detected code, domains and whois registrants from other attack campaigns. For instance, code found in macros used in Shamoon's latest spear phishing campaign was also used by the Rocket Kitten hacking group, while Shamoon's infrastructure has been linked to the OilRig campaign that has targeted Saudi financial organizations for compromise.
The Rocket Kitten group and OilRig actors are both commonly linked to Iran, which seems to further confirm suspicions that Iran is also involved in the Shamoon attacks. And while McAfee does not specifically name the multiple actors who many be collaborating on the latest Shamoon campaign, the report opens up the possibility that these two hacking groups are involved.
"In Iran in particular, hacking is not necessarily illegal if it's being done for the government or at the government's request," said Dave Marcus, technical director and principal engineer of the advanced programs group at McAfee, in an interview with SC Media. "They have university classes where they teach offensive malware coding and offensive techniques so you'll find that there's a lot of highly trained individuals here who do a lot of work together at varying levels of skill."
Also, in January 2017, Symantec issued a report that cited a tenuous link between Shamoon and a cyberspy organization known as Greenbug, which primarily targets the Middle East.
The theory that multiple actors are working together on Shamoon is supported by the varying levels of sophistication observed in various aspects of the campaign. For instance, while the malware shows signs of technical expertise, McAfee reported observing poor operational security procedures that suggest "some parts of the attacks were executed by less experienced operators."
McAfee researchers do not believe that indicators pointing to the involvement of various groups were intentionally planted as false flags to throw off investigators.
Also in the blog post, McAfee described how Shamoon's targeting has grown more sophisticated over the years. In 2012, the attackers generally used penetration-testing software to randomly scan outward-facing servers for vulnerabilities, but now the actors engage in advanced spear phishing campaigns against carefully selected targets, using spoofed domains and convincing phony documents that trick recipients into opening malicious documents.
