‘Disruptive’ virus that hit energy companies resurfaces

By Blake Sobczak | 12/13/2018 07:11 AM EST

Malware that effectively destroyed thousands of computers at state-owned Saudi Arabian Oil Co. has resurfaced. The giant Ras Tanura refinery complex in Saudi Arabia is pictured.

Malware that effectively destroyed thousands of computers at state-owned Saudi Arabian Oil Co. has resurfaced. The giant Ras Tanura refinery complex in Saudi Arabia is pictured. Saudi Aramco

A crippling computer virus that wiped out tens of thousands of computers at Saudi Aramco six years ago has resurfaced, security researchers say.

The Shamoon worm has a sordid history of hitting oil and gas companies in Saudi Arabia and Qatar, among other Middle Eastern targets.

Experts say the malicious tool is built to wreak havoc: Shamoon scrubs the master boot record off infected Windows computers, so they can’t even start back up. Previous versions of the malware have replaced the displays on victim machines with images of a burning American flag or of a lifeless Alan Kurdi, a 3-year-old Syrian boy who drowned trying to reach Europe in 2015.


"The first wave was particularly disruptive, because destructive malware isn’t all that common," said Stephen Doherty, research analyst at Symantec Corp.

Now, Doherty has spotted a new variant of Shamoon in the United Arab Emirates and Saudi Arabia, affecting an energy and engineering firm.

"There’s definitely a resurgence of the malware," he said in an interview yesterday. "It does tend to surprise even the [cybersecurity] industry itself, the fact that they continue to use malware that has been used in infamous attacks in the past."

Shamoon staged a brief comeback in late 2016, when researchers at Palo Alto Networks Inc. warned of its "rudimentary, but effective" technique for quickly spreading from one infected system to a host of computers in its orbit.

The latest sample of the virus appears to have discarded this mechanism and doesn’t contain the emails, domains or passwords that it would need to spread through target organizations, according to Jen Miller-Osborn, deputy director of threat intelligence of Unit 42 at Palo Alto Networks. She said the variant uploaded to the VirusTotal database "shares a considerable amount of code" with samples used in the 2016 and 2017 Shamoon infections.

"It isn’t clear yet if this is a new round of attacks," she said in an email.

Much of what is publicly known about the new malware strain is based on a version uploaded into VirusTotal, according to research from Alphabet Inc. subsidiary Chronicle.

Researchers there found a quirk: The new Shamoon includes a Dec. 7, 2017, "trigger" date — a hard-coded command to launch destructive payloads. A backdated trigger means the new malware, once installed, immediately springs into action rather than lying in wait like a time bomb.

"Shamoon has been very closely tracked, despite its use in a limited number of incidents and is of considerable concern to Saudi Arabia and others involved in OPEC (Organization of the Petroleum Exporting Countries)," Chronicle researchers concluded in their analysis.

Saipem hit

Chronicle, which owns VirusTotal, reported that the sample uploaded to the file scanning service on Dec. 10 originated in Italy.

On the same day, Italian oil and gas firm Saipem SpA reported suffering a cyberattack on its servers.

The company does business in the Middle East, including Saudi Arabia, where Saipem was awarded $4 billion in engineering and construction contracts in 2014.

Saipem and the Saudi Arabian government’s National Cyber Security Center did not respond to requests for comment. But Saipem’s head of digital and innovation, Mauro Piasere, told Reuters yesterday that the Shamoon virus appeared to be responsible for crippling between 300 and 400 servers and 100 individual computers at the company.

Joe Slowik, adversary hunter at cybersecurity firm Dragos Inc., said in a Twitter message that there were "still a lot of mysteries" about the attack, from how the Shamoon malware made it into Saipem’s environment to how it spread, given that its wormlike capability appears to have been disabled.

It’s not yet clear who is behind the latest Shamoon infections. Cybersecurity firm CrowdStrike Inc. linked past versions of the malware to the Iranian government. Doherty of Symantec said it is still too early to point fingers for the third round.

"There’s no hard evidence as to who might be behind these attacks," he said. "For this latent wave, we’re going to try to tie it back to a particular set of tools that maybe a group is using, and see where we go from there."