A new and latest recent version of Shamoon, which is also a form of malware that infamously caused damage to Saudi Aramco, Saudi Arabia’s largest oil producer in the year 2012, has been used in new attacks in the Middle East.
The new Shamoon attack was reported Thursday to have been detected on the network of Italian oil and gas contractor Saipem, where it destroyed files on about 10 percent of the company’s personal computers, primarily in the Middle East but also in Italy and Scotland.
A second attack at around the same time was later reported to have targeted a heavy-engineering company in the U.A.E.
Read More: Mirantis Enables OpenStack on Kubernetes
Shamoon is different from regular malware attacks in that it does not attempt to steal information or ask for a ransom payment. Instead, it simply deletes data, causing chaos on every network it manages to infiltrate.
Mounir Hahad, head of the Juniper Threat Labs, told SiliconANGLE that the new version of the Shamoon “packs the same punch as previous attacks,” but was made more difficult to study because this time, no sign of the intended victim is present in the malware.
“This variation will now also going to render any system it infects unusable by overwriting a key hard drive section which is called as the Master Boot Record with random data,” Hahad explained. “just like the previous variant, this one does not attempt to spread among the large set of people, which leads us to believe that the attack vector and the method of infecting more systems is yet need to be discovered.”
Thomas Richards, associate principal consultant at Synopsys Inc., noted that the initial entry point is telling.
“With the recent releases of breaches involving passwords, it is a possibility that an employee used the same password in multiple locations which led to the attacker’s ability to compromise Saipem,” Richards said. “The Shamoon attack could also be predicated by a phishing campaign or other credential compromising event. This attack is most likely perpetrated by an advanced threat actor who was specifically targeting Saipem.”
Richards advised employers to state in their password policies that employees shouldn’t reuse corporate passwords on other systems. “Additionally, if an employee receives a suspicious email they should report it to their IT security group immediately,” he added.