A series of attacks with the malware Shamoon seems to have originated in an Iranian hacker group. The McAfee Advanced Threat Research Team states that APT33 – or a group pretending to be the Iranian hacker group of the same name – is responsible for a recent series of attacks against industries in Europe and the Middle East.
Lately there have been a number of hack attacks with Shamoon. Among other things, the networks of the Italian oil and gas company Saipem, which is active in the Middle East, India, Italy and Scotland were infected. The attacks are not only aimed at individual companies, but also at supply chain attacks.
Highly destructive malware
Shamoon is a highly destructive malware, which aims to erase data from infected systems. The malware does this by overwriting data with other data. In recent years, two other variants of the malware were already active. One in 2012, which focused on Aramco, an oil company with at least 30,000 computers wiped out yards, and in 2016 and 2017 there was still a version active.
In all cases, the infected devices are contaminated with propaganda. Think of images of an American flag being burned and photos of a drowned Syrian child. The new variant of Shamoon is aimed at companies active in the oil and gas industry, energy companies, telecom providers and governments.
The malware infects systems using fairly traditional methods, by persuading victims to provide their account details. The Filerase program then erases the data from a system. It can do three things: run in silent mode; use a privileged escalation script or run with a tracker that keeps track of which documents and folders have been deleted.
Months in the making
McAfee thinks several developers have been working on the latest Shamoon attack. This would be prepared months in advance. Assigning the attack to someone is difficult, because we don’t have all the puzzle pieces. But we do see that this attack is similar to the Shamoon v.2 techniques. Political statements are part of every Shamoon attack. Now we see a verse from the Koran, which says that the attacker is linked to one of the sides in a Middle East conflict and wants to make a statement.
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.