Saudi telecoms authority warns of destructive Shamoon 2

News by Max Metzger

Saudi Arabian organisations are being warned that Shamoon is back and in a new form

Shamoon has returned in a new form. The Saudi Arabian telecoms authority issued a warning on 23 January to companies about a variant of the malware, called Shamoon 2.  The warnings, according to Reuters, come after the Saudi labour ministry reported that it had been attacked by the malware.  

Shamoon 2, much like its predecessor, is plainly destructive, wiping its target's records and making it unable to restart. Michael Shalyt, VP of product at Aperio Systems, a company which specialises in securing critical control systems told SC “One of the metrics that define the severity of a cyber-attack is the length of time before normal operations can resume. For example, once a DDoS attack seizes, the attacked system can resume operations almost immediately. A malware that destroys or misconfigured parts of a system will require more time and resources from the IT personnel before return to normalcy.”

“Shamoon is an extreme case of this category”, he added, “corrupting attacked computers' hard drives all the way to the boot sector - rendering the systems completely unusable - requiring a full format and reinstallation of all breached components - which is about the worst an attacker can do to disrupt operations on the digital layer.”

The malware itself simply takes control of its targets boot records and  wipes computers. For its attacks to work however, it would have to gain access first. Symantec believe there may be a connection between the group that uses the Shamoon Disttrack malware and another group called Greenbug. In a recently published blogpost, Symantec noted the presence of Greenbug within an organisation which was later attacked by Shamoon.

Crowdstrike, a cyber-security company believes the attackers to be Iranian. Iran and Saudi Arabia are often seen as regional competitors and it is not uncommon for each country to attempt to meddle in the other's affairs. That competition, said Ewan Lawson, senior fellow for military influence at the Royal United Services Institute, is rarely direct.

He told SC, this rivalry is often litigated “through proxies with for example Iran accused of supporting the opposition in Bahrain and the Houthi movement in Yemen. There have been regular allegations of state-sponsored cyber-attacks between them with probably the Saudi Aramco attack being the most well known, albeit this has also been linked to Iranian messaging to the USA in the aftermath of Stuxnet/Olympic Games.”

Shamoon became famous off the back of an attack on Saudi Aramco, a state oil company, in 2012. The malware destroyed the records of nearly 40,000 computers. In late 2016, Shamoon reappeared, attacking six different Saudi organisations and overwriting target computers with the famous image of the body of Alan Kurdi, a Syrian refugee who drowned in the Mediterranean.

After the most recent warning, the Saudi Arabian state run television station, Al Ekhbariya added that several organisations had been targeted by cyber-attacks.

Included was the Sadara Chemical Company, a joint venture between Saudi and US companies. While Sadara admitted that recent disruptions were the result of a cyber-attack, it did not say that it was the result of Shamoon.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews