Shamoon malware destroys data at Italian oil and gas company
A new variant of the Shamoon malware was discovered on the network of Italian oil and gas contractor Saipem, where it destroyed files on about ten percent of the company’s PC fleet, ZDNet has learned.
The vast majority of the affected systems were located in the Middle East, where Saipem does a vast majority of its business, but infections were also reported in India, Italy, and Scotland.
Shamoon is one of the most dangerous strains of malware known to date. It was first deployed in two separate incidents that targeted the infrastructure of Saudi Aramco, Saudi Arabia’s largest oil producer, in 2012 and 2016. During those incidents, the malware wiped files and replaced them with propaganda images (burning US flag, body of Alan Kurdi). The 2012 attack was devastating in particular, with Shamoon wiping data on over 30,000 computers, crippling the company’s activity for weeks.
This new Shamoon attack also has an Aramco connection. Saipem, an Italian oil and gas company specialized in drilling services and pipeline design, is one of Saudi Aramco’s main foreign contractors.
New Shamoon version uploaded on VirusTotal
This latest Shamoon incident took over the past weekend of December 8 and 9. The company publicly acknowledged the incident on Monday in a press release, calling it a cyber-attack, but without providing any useful information.
On the same day, a never-before-seen version of the Shamoon malware was uploaded on VirusTotal from an IP address located in Italy, where Saipem’s main headquarters are located, and other samples were uploaded the next day from an IP address in India, another region that Saipem also said was affected.
Following repeated requests for comments, from both ZDNet and other publications, Saipem admitted in an email that they’ve been infected with a Shamoon variant.
But while in past Shamoon incidents attackers deleted and replaced files, a source inside the company told ZDNet that this time, attackers chose to encrypt data.
A security researcher who analyzed the Shamoon files uploaded on VirusTotal told ZDNet that this is somewhat incorrect. This version of Shamoon overwrites original files with garbage data. This garbage data might look like encrypted content to an untrained eye, but it’s just random bits of information that can’t be recovered with an encryption key.
But despite this news, the Shamoon infection didn’t appear to do damage to Saipem’s ability to do business. Only regular workstations and laptops connected to Saipem’s business network were affected, ZDNet was told, and the company’s internal systems for controlling industrial equipment were not impacted.
Currently, Saipem is taking the Shamoon attack in stride, having already restored most of its affected systems using existing backups.
RDP entry point?
Older versions of the Shamoon malware were also known to come hardcoded with a list of SMB (Server Message Block) credentials that the malware would use to spread throughout a network on its own.
But in a phone call with ZDNet on Tuesday, Brandon Levene, the Chronicle security researcher who first spotted the new Shamoon malware on VirusTotal, said this Shamoon version didn’t come with the regular list of SMB credentials that it used to feature in the past for self-propagation.
This might also explain why Saipem’s IT staff is currently reviewing RDP (Remote Desktop Protocol) as the primary entry point for the malware into its network.
“You could just load Mimikatz onto the box and away you go to pivot that way,” Levene told ZDNet in a phone call about the technical possibility of RDP being the entry point for the hack and the absence of any SMB credentials usually seen in the past.
“They could have encoded them [the SMB credentials] afterward [after obtaining them with Mimikatz],” Levene said, “that would certainly make sense as to why the [SMB] functionality wasn’t necessary.”
“Additionally, the networking component wasn’t there. There’s no command and control server configured,” the researcher told us. “Older versions had a command and control server configured, and those would report what files were popped or overwritten.”
The lack of these two components –SMB spreader and networking component– fits with the scenario of a manual deployment, where the attacker was present and roaming around the company’s network, rather than the malware being delivered via a phishing email, and left to spread on its own.
This theory is also confirmed by the fact that this new Shamoon version was also configured with a trigger date of “December 7, 2017, 23:51.” The Shamoon “trigger date” is the date after which Shamoon’s destructive behavior starts.
“Trigger dates” are often used for malware deployed to spread on its own, in order to make sure the malware has time to infect as many computers inside an internal network.
By using an old trigger date for this variant, attackers made sure Shamoon’s destructive behavior started as soon as they executed the Shamoon payload.
Shamoon re-emerging is a big deal for the IT security industry. Without a doubt cyber-security firms will publish more reports about this malware in the coming days. We will update this article with links to any future Shamoon analysis, but also Saipem press releases, if relevant.