Shamoon, a disk-wiping malware used against the Saudi energy sector in 2012, resurfaced in the same country during a recent string of attacks, which could have emanated from Iran, and might represent the first cybersecurity challenge for the incoming Trump administration.
The attacks targeted the computers of the agency running the country's airports as well as five additional targets and Symantec researchers said the latest variant remains largely unchanged from the previous version which was designed to clear the master boot records and replace them of an image with a burning U.S. flag, according to a Nov. 30 blog post.
The latest version instead displays a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned last year in the Mediterranean.
Although the source and motive for the attacks have yet to be confirmed, some reports contend the attack appears to have come from Iran, which was responsible for the 2012 attacks, according to Bloomberg. Sources told the publication that the attack appeared to catch officials off guard as it destroyed several government agency computers and brought office administration systems to a halt for several days.
Symantec Security Response Technical Director Eric Chien told SC Media while his firm doesn't have evidence that the attack can be attributed to Iran, there is evidence that could point to the contrary.
“In the first Shamoon attack, there is a directory path string within the binary that refers to ‘Arabian Gulf', which is not a term that would be typically used in Iran,” Chien said. “Further, in the recent Shamoon attack, the picture of Aylan Kurdi is placed on wiped machines and Kurdi is of Kurdish descent.”
He went on to say generally, the state of Iran is not preferential to the Kurdish however, none of the indicators mean the attacks aren't sponsored by Iran either.
The attacks could have greater political implications as researchers said the attackers appear to have carried out a lot of reconnaissance and data gathering before deploying their destructive payload and that the resources required to carry out a multi-staged attack of this nature would typically only be available to a nation state. In 2010, Iran was targeted in the Stuxnet virus attack that set back Iran's uranium enrichment program and is widely believed to have been launched by the U.S. and Israel.
One of the biggest problems with attacks like is that we are dealing with geopolitical uncertainty on a global scale, KoolSpan Executive Chairman Elad Yoran told SC Media.
“One of the things that have yet to be effectively implemented is a sort of radical cyber deterrence policy,” Yoran said. “What that means on a national level, for the United States government [is] what thresholds trigger what kind of response against whom, and does cyber attack beget cyber attack response.”
He said that although there's has been a lot of work done in that area there is still a lot of work that needs to be done.