Hackers penetrated six Saudi Arabian government agencies including its General Authority of Civil Aviation, and bricked thousands of computers with the well-known Shamoon disk-wiper malware. Saudi's Central Bank denies it was hit despite earlier reports that it was one of the victims.
Bloomberg reports that an investigation into the breach, which is still in its early stages, is currently underway, citing two anonymous sources briefed on the investigation and pointed at Iran as the likely culprit. This attack is very similar to the 2012 incident that destroyed 35,000 machines at the Saudi state oil company Saudi Aramco. The malware was installed using passwords that appear to have been accessed through spear-phishing emails.
"The attackers appear to have done a significant amount of preparatory work for the operation," the Symantec Security Response team wrote on its blog. "The malware was configured with passwords that appear to have been stolen from the targeted organizations and were likely used to allow the threat to spread across a targeted organization's network."
Multiple security firms noted that the malware triggered the disk-wiping to commence at 8:45PM local time on Thursday (17 November), which is the end of the Saudi business week, in order to avoid discovery and inflict maximum damage. "Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice," the blog read.
Crowdstrike Co-founder and CTO Dmitri Alperovitch speculated that the current geopolitical situation may have sparked the recent Shamoon attacks. He said in a blog: "While the precise motives in this most recent November incident are currently unclear, the attacks coincide with multiple geopolitical events impacting the Gulf countries, as well as recent industry developments within Saudi Arabia itself." It's well known that Saudi Arabia and Iran are not the best of friends.
Alperovitch continued: "This new variant of Shamoon kept many of its original tactics, down to the commercial raw disk ElDos driver that was used for disk wiping (including the original trial license key for this driver) that had been used in the original attacks. That ElDos trial key was only valid for 30 days and expired by September 2012. In order to continue to use the key, the wiper now has to reset the Windows system clock back to August 2012 to manipulate the license validation process."
How it happened
According to Symantec, the new variant of Shamoon shares several similarities with the original strain. Like its predecessor, Shamoon 2.0 also uses stolen administrative credentials to gain entry and attempts to spread across other devices in the network. According to Palo Alto security researchers, this technique "suggests that the threat actors had previous access to the network or carried out successful phishing attacks prior to the attack".
What to do about It
It looks clear that higher-quality intrusion detection software should have been used, and that employees should have been stepped through awareness training to identify phishing red flags. There are other steps that can and should be taken as well, but these two are obvious and have fast ROI.
Bad guys generally get into their targets with spear-phishing attacks to get credentials so they can penetrate the target network. New-school security awareness training is an effective way to block those attacks.
Find out how affordable this is for your organization and be pleasantly surprised.