Some Signs Point to Shamoon as Malware in Aramco Attack

While researchers continue to dig into the Shamoon malware, looking for its origins and a complete understanding of its capabilities, a group calling itself the Cutting Sword of Justice is claiming responsibility for an attack on the massive Saudi oil company Aramco, which some experts believe employed Shamoon to destroy data on thousands of machines. 

AramcoWhile researchers continue to dig into the Shamoon malware, looking for its origins and a complete understanding of its capabilities, a group calling itself the Cutting Sword of Justice is claiming responsibility for an attack on the massive Saudi oil company Aramco, which some experts believe employed Shamoon to destroy data on thousands of machines. 

The attack on Aramco occurred on August 15, taking the main Web site of Saudi Aramco offline. Officials at the company said that the attack affected some of the company’s workstations, but did not have any effect on oil production or on the main Aramco networks. The attackers claiming responsibility for the incident dispute that, saying that they deployed a destructive piece of malware that erased data on infected machines and then made them unusable.

“As previously said by hackers, about 30000 (30k) of clients and servers in the company were completely destroyed. Symantec, McAfee and Kaspersky wrote a detail analysis about the virus, good job. Hackers published the range of internal clients IPs which were found in the internal network and became one of the phases of the attack target,” the group said in a post on Pastebin shortly after the attack.

The first indications that the attack might be connected to the Shamoon malware came in the group’s original Pastebin post, which included a start time for the attack on Aramco, 11:08 a.m. local time in Saudi Arabia on August 15. Researchers who dissected Shamoon found that the same time was hard-coded into the Shamoon malware as a kind of checkpoint. The attackers claiming responsibility for the operation said that the attack ended a few hours after it began, but that plenty of damage was done.

“In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime. In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company. The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours,” the post says.

In a statement on its site, Saudi Aramco said that the company is keeping most of its Web presence offline as a precaution.
 
“We have isolated all our electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption which affected some sectors of our network. The disruption was suspected to be the result of a virus that had infected personnel workstations without affecting the primary components of the network. The interruption is under control, we are working diligently to restore services to normal as soon as possible in a methodical approach,” the company said.
 
While there are many indications that Shamoon was, in fact, the malware that was used to target Aramco, it’s not a certainty. Aviv Raff, CTO of Seculert, said that there is at least one indication that the malware the attackers used isn’t the same as the sample of Shamoon that he’s seen.
 
“The IP address (10.1.252.19) of the proxy server, in the Shamoon samples that Seculert analyzed, is not part of the list described in the pastes,” Raff said.

“This might mean that those samples are part of an attack on a different entity. Or, this is indeed part of the attack against Aramco, but the attackers decided not to share this IP address in the pastes, considering the detail in the pastes is true, of course.”

Shamoon has an odd set of capabilities, most notably a function that overwrites the master boot record of infected machines after stealing data. It also uses a machine on a given infected network as a kind of proxy server to gather data stolen from infected PCs on the local network and then send it off to the command-and-control servers. 

The IP address of the proxy server that Seculert observed being used by its sample is different from one seen by Kaspersky Lab researchers: 10.223.180.93. It’s not clear whether both of those servers were located on the same infected local network, rather than on two separate networks, but it is a strong possibility, researchers say.

Suggested articles