Dubai: The computer virus that wreaked havoc at Saudi Aramco in 2012 has returned to the kingdom for the second time in as many months, this time leaving at least three government agencies, and four private sector companies offline for 48 hours.
As with the first two Shamoon attacks, this latest incident used an almost identical method to infiltrate systems, propagate itself, and then gain control of targets and destroy them, according to Ravi Patil, Technical Director, Trend Micro.
“This attack, a slight variation on November’s Shamoon 2, was a time bomb set to explode on January 23, hitting both the public and private sector,” said Patil.
Blaming the latest breach on poor adherence to security protocol, he described the need for better education, such as teaching staff not to click on links in suspicious emails.
“If companies had followed basic security practices, such as protecting passwords, or not allowing remote access tools or VPNs inside the network, then they would have been less susceptible. It was human error.”
The technical director confirmed US security researchers’ claims that infected computers displayed an image of the body of three-year-old Syrian boy Alan Kurdi, a picture that shocked the world and made global headlines in 2015.
This iteration of Shamoon is not the first time a seemingly symbolic message has been left on wiped computers. Back in 2012, a JPEG picture of a burning US flag was found on hacked devices at Saudi Aramco.
Sadara Chemical Co, a Jubail-based company jointly owned by Saudi Aramco and Dow Chemical, announced that its “network disruption was a result of cyber-attack experienced by multiple entities in KSA.”
Patil also confirmed reports by Reuters that other petrochemical facilities in Jubail were affected.
“Multiple petrochemical companies, in addition to IT services companies, were affected,” although he noted that the financial sector was left untouched.
Trend Micro, a Tokyo-based security software provider, is one of three global firms working with the Saudi Arabian government on cybersecurity. The other two are Symantec and McAfee.
“We didn’t see any evidence of data exfiltration,” said Patil, suggesting instead that the purpose of the malware, as in previous cases, was to cause widespread disruption and the destruction of computer networks.
Despite the results of Trend Micro’s investigation, market sources have suggested that one of the most troublesome aspects of the Shamoon virus, and it’s more powerful successor Shamoon 2, is the very fact that its damaging capabilities make it so difficult to detect any thefts of data.
“Overwriting the master boot record completely covers the intruder’s tracks, so we really don’t know what the hackers did before wiping the data,” said a cybersecurity expert unauthorised to comment publicly on the matter.
Fortunately for many of the companies involved, backups had been made following the attack in November, so last week’s breach was not as destructive as on previous occasions.
When Saudi Aramco was breached in 2012, Shamoon destroyed close to 40,000 computers’ records, taking them almost two weeks to recover, according to reports.
Whilst the attack on the oil giant in 2012 began late on a Thursday afternoon, timed to coincide with the beginning of the weekend in Saudi Arabia for maximum impact, this latest breach occurred at 9:02am on Monday, January 23.
Crowdstrike, a cybersecurity company based in America, has previously suggested the attack was orchestrated by Iran, a regional rival of Saudi Arabia.
US Secretary of Defence Leon Panetta stated at the time of the first attack that “there are only a few countries in the world that have that capability,” which led to further speculation that Iran was responsible.
Regarding the latest incident, Patil said that Trend Micro “had not seen any traces pointing to a particular country or group.”