More Shamoon 3 Attacks Detected in the Middle East and Europe

After an Italian company recently confirmed that its infrastructure was attacked with a new version of a destructive malware program called Shamoon, security companies discovered additional infections in the Middle East and Europe.

“During the past week, we have observed a new variant attacking several sectors, including oil, gas, energy, telecom and government organizations in the Middle East and southern Europe,” researchers from antivirus firm McAfee said in a detailed analysis of the new version, which has become known as Shamoon 3.

Shamoon, also known as Disttrack, first appeared in 2012 when it was used to wipe date from thousands of computers belonging to Saudi Arabia’s national oil company Saudi Aramco and servers belonging to Qatar’s RasGas. The prime suspects in those attacks were hackers with links to Iran.

The second wave of attacks using Shamoon occurred four years later, in November 2016, and hit two organizations from Saudi Arabia.

This is why it came as a surprise when last week an Italian oil and gas company Saipem announced that servers from its offices in multiple countries were hit with a new Shamoon variant. However, it turns out that Saipem is one of Saudi Aramco’s largest contractors, so there is a direct connection back to Saudi Arabia’s oil operations.

In addition to McAfee, Symantec has also confirmed new attacks with Shamoon 3 against two oil and gas organizations from Saudi Arabia and the United Arab Emirates. In addition, researchers from security firm Anomali uncovered a Shamoon 3 sample uploaded to VirusTotal Dec. 13 by a user in the Netherlands, but it’s not clear if any company from that country was also hit.

According to Symantec, in addition to Shamoon, the new attackers also used a secondary file-wiping program called Trojan.Filerase.

“The addition of the Filerase wiper makes these attacks more destructive than use of the Shamoon malware alone,” they said. “While a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable. However, if the files are first wiped by the Filerase malware, recovery becomes impossible.”

Once inside a network, Filerase was copied to computers based on a list of target systems that were unique for each victim. This suggests that attackers had access inside the networks of the targeted organizations in advance. In one case, Shamoon was launched with the PsExec tool, another indication that attackers had access to network credentials.

According to Symantec, one of the organizations hit by Shamoon 3 was recently also attacked by an APT group known as Elfin or APT33. FireEye has linked this group to Iran in the past.

“The proximity of the Elfin and the Shamoon attacks against this organization means it is possible that the two incidents are linked,” the Symantec researchers said.

Elfin has targeted organizations from the United States, Saudi Arabia and South Korea in the past, particularly from the military and civilian aviation sectors, but also the energy and petrochemical sectors.

If this group is indeed behind Shamoon 3, there is a risk that they could target additional companies outside the Middle East and Europe, as they did in the past. The main malware tool previously associated with this group was a Trojan program called Stonedrill that also has data wiping capabilities.

Companies need to remain vigilant, especially since Shamoon is part of a larger trend of sabotage-oriented programs that focus on destroying data and taking systems offline rather than espionage. Recovering from such attacks requires having proper data backup and restore procedures in place that can be relied on to limit downtime and put affected systems back into operation as soon as possible.

Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin