The dreaded Shamoon has resurrected, a new version called Shamoon 2 was spotted by the security experts at Palo Alto Networks. Saudi Arabia Computer Emergency Response Team (CERT)’s Abdulrahman al-Friah confirmed to Al Arabiya that at least 22 institutions were affected by the wave of Shamoon attacks.
Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco and RasGas Co Ltd.
In the 2012 attacks, threat actors used images of a burning U.S. flag to overwrite the drives of victims.
The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems. The Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and Dow Chemical, confirmed it had suffered a network disruption on Monday morning. The experts at the company are still working to resolve the problem.
Sadara has experienced a network disruption this morning, and are working to resolve it. Our operations have not been affected.
— Sadara | صدارة (@Sadara) January 23, 2017
Who is behind the attack?
A first possible scenario sees Iranian state-sponsored hackers targeting Saudi Arabian infrastructure in retaliation for cyber attacks against Iranian petrochemical facilities.
Iranian facilities suffered a string of cyber attacks last year between July and September, a fire at the Bou Ali Sina Petrochemical Complex in Iran caused $67m in damage.
The first incident occurred on July 6, in the Bou Ali petrochemical plant on the Persian Gulf coast, a couple of days after the fire was put out, a liquefied gas pipeline exploded in the Marun Oil and Gas Production Company. On July 29 another fire occurred at the Bisotoon petrochemical plant.
The incidents were originally blamed on human error but after another explosion of a gas pipeline near Gonaveh the Iranian Petroleum Ministry started an investigation to understand the real cause of the anomalous string of incidents.
“The Iranian Petroleum Ministry, in charge of all of the affected sites denied the plants were sabotaged and the Iranian oil minister Bijan Namdar Zanganeh said the fires and explosions were due to technical faults and human error.” reported the Time.com “However when an explosion in a gas pipeline near Gonaveh, which killed a worker, and another fire in the Imam Khomeini petrochemical plant, occurred within hours of each other on Aug. 6, the ministry refused to comment until after investigations.“
Mr. Abolhassan Firouzabadi, the secretary of Iran’s Supreme National Cyberspace Council, confirmed that a team of investigators were working on the case trying to understand if the incidents are linked and if they were caused by a cyber attack.
“The viruses had contaminated petrochemical complexes,” Brig. Gen. Gholam Reza Jalali told the IRNA news agency. “Irregular commands by a virus may cause danger.”
In this scenario, we can imagine an ongoing cyber dispute between Iran and Saudi Arabia.
A second scenario, even more disconcerting, sees a third nation-state actor that could spread the Shamoon 2 variant in the wild to feed political tension in the Middle East. The attribution problem is difficult to solve and a foreign government could benefit from a crisis in the area.
(Security Affairs – Shamoon 2, Saudi Arabia)