The malware used to disrupt the global operations of Italian energy contractor Saipem S.p.A. earlier this week was none other than Shamoon, a disk wiper that’s been used in two prior attacks against Saudi interests.
Saipem identified Shamoon as the culprit in a Dec. 12 news release that updated its previously vague disclosure of the incident. Around the same time, Alphabet Inc.’s cybersecurity subsidiary Chronicle issued a research brief confirming the detection of Shamoon samples that were uploaded to its VirusTotal file analyzing service.
These samples could very well be related to the Dec. 10 attack on Saipem, considering that two of them were uploaded to VirusTotal on the very same day from an IP address in Italy, where Saipem is headquartered. These two samples, plus an additional related module, were also uploaded on Dec. 11 from India, where Saipem has operations that were affected by the attack, Chronicle informed SC Media.
The infection “hit servers based in the Middle East, India, Aberdeen [Scotland] and, in a limited way, Italy through a variant of Shamoon malware,” according to Saipem’s latest release. “The attack led to the cancellation of data and infrastructures, typical effects of malware.”
However, the company is not expected to suffer long-term damage because it invested in comprehensive system back-ups. “The restoration activities, in a gradual and controlled manner, are underway through the back-up infrastructures and, when completed, will reestablish the full operation of the impacted sites,” the release continues. “Saipem continues liaising with the competent authorities for any appropriate action.”
It appears Saipem may not have been the only target, either. Citing two sources, Forbes today reported that Shamoon was also detected this week at a heavy engineering company based in the United Arab Emirates, adding that the Dubai Electronic Security Center (DESC) put out a warning about the attacks earlier this week.
Although the attacks have not been attributed to any specific actor, security professionals long ago established links between the previous Shamoon attacks and the reputed Iranian APT threat groups OilRig and Rocket Kitten, as well as a cyber espionage group called Greenbug.
Also known as Disttrack, Shamoon cripples victims by overwriting key computer files, including the master boot record (MBR), while also propagating across infected networks. The malware first surfaced in 2012 when it was used to launch a highly damaging attack that destroyed roughly 35,000 computer workstations at Saudi energy giant Saudi Aramco.
After a long hiatus, an evolved version of Shamoon attack was used in attacks against various Saudi organizations in 2016 and 2017. This time, the perpetrators expanded their reach beyond energy, targeting multiple industries, including the public and financial services sectors.
This latest incident also has Saudi connections, as Saipem operations in Saudi Arabia were among those notably impacted.
In its brief, Chronicle reports that the programmed trigger date was set to Dec. 7, 2017 – approximately one year before it was uploaded to VirusTotal. “Because of this, it is not known if this sample was used last year or if the actors used an intentional historic trigger date to immediately start destructive operations,” the company explains.
An analysis of the latest Shamoon sample showed that it “closely matches historic versions of the malware,” with several key distinctions, Chronicle’s report continues.
For instance, previous iterations of Shamoon were programmed with a hard-coded list of stolen credentials that were used to laterally spread throughout a targeted organization. But the new version lacks this element, “which leads us to believe that the attack vector and the method of infecting more systems is yet to be discovered,” said Mounir Hahad, head of Juniper Threat Labs, in email comments sent to SC Media.
The lack of credentials also make the malware “more difficult to study, Hahad added, “as no indication of the intended victim is present in the malware itself.”
Trend Micro, meanwhile, has its own theory about the malware: “We… infer that this version of Shamoon is poorly configured,” the company states in a security news bulletin, suggesting that its authors may still be testing out the malware. “…It has code to check the user credentials to be used for network propagation, but the list of information is not available. It also has code for C&C communication but there’s no C&C-related information. Another missing component is the image it uses. It has code to check for the image to be used when overwriting the MBR, but the resource labeled as ‘GRANT’ where the image should be located is missing. It also has partition checks but is configured to not execute.”
Further analysis revealed that Shamoon’s newest version also distinguishes itself from its predecessors in the way it overwrites the MBR using random data, as well as by using a different list of potential filenames that it can assign to dropped executables.