A new version of Shamoon, a form of malware that infamously caused damage to Saudi Aramco, Saudi Arabia’s largest oil producer in 2012, has been used in new attacks in the Middle East.
The new Shamoon attack was reported Thursday to have been detected on the network of Italian oil and gas contractor Saipem, where it destroyed files on about 10 percent of the company’s personal computers, primarily in the Middle East but also in Italy and Scotland.
A second attack at around the same time was later reported to have targeted a heavy-engineering company in the U.A.E.
Shamoon is different from regular malware attacks in that it does not attempt to steal information or ask for a ransom payment. Instead, it simply deletes data, causing chaos on every network it manages to infiltrate.
Mounir Hahad, head of the Juniper Threat Labs, told SiliconANGLE that the new version of the Shamoon “packs the same punch as previous attacks,” but was made more difficult to study because this time, no sign of the intended victim is present in the malware.
“This variation will render any system it infects unusable by overwriting a key hard drive section called the Master Boot Record with random data,” Hahad explained. “Unlike the previous variant, this one does not attempt to spread, which leads us to believe that the attack vector and the method of infecting more systems is yet to be discovered.”
Thomas Richards, associate principal consultant at Synopsys Inc., noted that the initial entry point is telling.
“With the recent releases of breaches involving passwords, it is a possibility that an employee used the same password in multiple locations which led to the attacker’s ability to compromise Saipem,” Richards said. “The Shamoon attack could also be predicated by a phishing campaign or other credential compromising event. This attack is most likely perpetrated by an advanced threat actor who was specifically targeting Saipem.”
Richards advised employers to state in their password policies that employees shouldn’t reuse corporate passwords on other systems. “Additionally, if an employee receives a suspicious email they should report it to their IT security group immediately,” he added.
Photo: Divulgação Petrobras/Wikimedia Commons
Since you’re here …
The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.