Bapco, the national oil company of the Arabian Gulf island nation of Bahrain, was reportedly hit 29 December by a disk wiper attack that officials believe originated from Iranian-backed hackers.
Iran is historically associated with past disk wiper campaigns against energy companies, most notably the destructive Shamoon or Disttrack malware attack against the Saudi Arabian Oil Company Saudi Aramco in 2012, which destroyed roughly 35,000 computer workstations. Bahrain is a member of the Gulf Cooperation Council along with Saudi Arabai - it is a Sunni controlled country with a majority Shia population - Shia Islam is the main religion in Iran.
This latest digital assault appears to have been less effective than earlier attacks. Only a fraction of Bapco’s machines were affected — not enough to substantially disrupt operations, ZDNet has reported. According to the same report, a recently published (courtesy ZDNet) security alert by Saudi Arabia’s National Cyber Security Centre (NCSC) was actually referring to the Bapco incident when it warned of a newly discovered wiper called Dustman.
Dustman appears to have been executed in haste on its intended victim, perhaps to cover up a previously executed network compromise that had been uncovered, the NCSC alert suggests. "NCSC assess[es] that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network," the NCSC states.
Dustman is assessed to be a variant of ZeroCleare, another disk wiper that researchers at IBM Security last year reported was used in recent malware attacks against energy and industrial sector organisations based in the Middle East. IBM linked ZeroCleare, which seeks to overwrite the master boot record and disk partitions of Windows machines, to reputed Iranian APT group OilRig (aka APT34 and Helix Kitten) and at least one other group that’s also likely based in Iran.
Dustman has the same digital fingerprint as ZeroCleare and they both use the Turla Driver Loader to exploit vulnerable drivers to bypass system protections against loading unsigned drivers, the NCSC explains. However, Dustman overwrites data differently than ZeroCleare and it has added an "optimisation mechanism… where the destructive capability and all needed drivers and loaders are delivered in one executable file as opposed to two files as was the case with ZeroCleare," the alert clarifies.
If the NCSC report indeed does refer to the Bapco incident, then according to the report, the energy firm’s work was likely first compromised several months prior to the attack. The NSCS believes, with "moderate confidence" that the initial attack vector was virtual private network server containing a remote code execution vulnerability that had been disclosed in the summer of 2019. This could potentially be referring to VPN servers from Fortinet or Pulse Secure, ZDNet reports.
Notably, IBM Security believes the ZeroCleare attacks also were enabled through VPN server exploits. And several prominent Sodinokibi ransomware attacks have also recently taken place via vulnerable Pulse Secure servers, researchers have disclosed.
According to the NCSC, once the attackers accessed the VPN server they were able to harvest admin credentials, allowing them to moved laterally around the victim’s systems and ultimately deploy Dustman on them, along with additional files and two drivers. Later, the attackers deleted the recent VPN access log and downloaded a file deletion tool to cover their tracks.
Roger Grimes, data-driven defense evangelist at KnowBe4, said that Bapco seems to have dodged a bullet, and believes better preparation by Middle Eastern firms following the Saudi Aramco wiper incident may be the reason why.
"Before the Saudi Aramco attack, Middle East computer security was worse than poor. It was almost non-existent. But losing 32,000 computers, servers and workstations, in one of the world’s first nation-state attacks and the shutting down of the number-one wealth producer for the country has a way of creating focus," said Grimes. "Saudi Arabia and its allies, including Bahrain, realised that status quo wouldn’t work anymore, and they worked very hard to come up to speed."
Grimes, who worked at Microsoft when the Shamoon attack happened, added that Saudi Arabia "sent over dozens of IT security envoys to work hand and hand with some of America’s best and most attacked companies to learn how to come up to speed with better computer security as quickly as possible. It was a major investment, maybe one of the biggest investments ever in their future. And looking at this latest story, it seems like a success."
First published on SC US.