While researchers continue to dig into the Shamoon malware, looking for its origins and a complete understanding of its capabilities, a group calling itself the Cutting Sword of Justice is claiming responsibility for an attack on the massive Saudi oil company Aramco, which some experts believe employed Shamoon to destroy data on thousands of machines.
The attack on Aramco occurred on August 15, taking the main Web site of Saudi Aramco offline. Officials at the company said that the attack affected some of the company’s workstations, but did not have any effect on oil production or on the main Aramco networks. The attackers claiming responsibility for the incident dispute that, saying that they deployed a destructive piece of malware that erased data on infected machines and then made them unusable.
“As previously said by hackers, about 30000 (30k) of clients and servers in the company were completely destroyed. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job. Hackers published the range of internal clients IPs which were found in the internal network and became one of the phases of the attack target,” the group said in a post on Pastebin shortly after the attack.
The first indications that the attack might be connected to the Shamoon malware came in the group’s original Pastebin post, which included a start time for the attack on Aramco, 11:08 a.m. local time in Saudi Arabia on August 15. Researchers who dissected Shamoon found that the same time was hard-coded into the Shamoon malware as a kind of checkpoint. The attackers claiming responsibility for the operation said that the attack ended a few hours after it began, but that plenty of damage was done.
“In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime. In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company. The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours,” the post says.
“This might mean that those samples are part of an attack on a different entity. Or, this is indeed part of the attack against Aramco, but the attackers decided not to share this IP address in the pastes, considering the detail in the pastes is true, of course.”
Shamoon has an odd set of capabilities, most notably a function that overwrites the master boot record of infected machines after stealing data. It also uses a machine on a given infected network as a kind of proxy server to gather data stolen from infected PCs on the local network and then send it off to the command-and-control servers.
The IP address of the proxy server that Seculert observed being used by its sample is different from one seen by Kaspersky Lab researchers: 10.223.180.93. It’s not clear whether both of those servers were located on the same infected local network, rather than on two separate networks, but it is a strong possibility, researchers say.