The waves of cyberattacks that have rocked Saudi Arabia over the past few months are linked to the earlier Shamoon attacks. However, the initial 2012 attack was the work of a single group, whereas the latest attacks have been carried out by different groups of varying skills and expertise, all following instructions provided by one malicious actor, McAfee researchers have found.
Researchers at McAfee Strategic Intelligence believe the 2012 Shamoon attacks against Saudi Arabia’s state-run oil company Saudi Aramco and Qatari natural gas company RasGas, the attacks last November against Saudi organizations, and the latest attacks are the work of hacker groups supported and coordinated by a single actor, not by multiple gangs operating independently, said McAfee principal engineer Christiaan Beek and McAfee chief scientist Raj Samani.
Though Shamoon has focused on Saudi Arabia, it is important to remember that system-wiping campaigns aren’t unique to the Middle East. Malicious actors can obtain technologies from the black market or contact other groups directly to learn new techniques. Malware and attack capabilities aren’t like guns, where there is a physical limitation on who can possess them. They can be shared, and once a technique is available, it becomes widespread.
The 2016 and 2017 campaigns are a lot bigger and more sophisticated in execution, and they’re causing far more damage, which suggests the attackers have learned new techniques and are collaborating with other groups.
“The increase in sophistication suggests investment, collaboration, and coordination beyond that of a single hacker group, but rather that of the comprehensive operation of a nation-state,” Samani and Beek wrote.
The original campaign, which destroyed tens of thousands of computers by wiping the hard disk drives and the Master Boot Records, predominantly targeted the Saudi energy sector. But the latest attacks have gone beyond that vertical to include more than a dozen government agencies, financial services organizations, and critical infrastructure. All the attacks McAfee has seen so far targeted Saudi Arabia.
“Somebody is trying to disrupt a whole country,” Beek warned.
While McAfee declined to name a particular group or nation-state as the coordinating actor, Beek said there was a clear geopolitical intent behind the attacks. This isn’t a matter of sabotaging individual organizations, but an attack against a country, and only nation-states are capable of this level of coordination, he said.
The research is “the latest evidence of rogue state or stateless actors developing increasingly sophisticated and powerful cyberwarfare and cyberespionage capabilities to project geopolitical and strategic power that would otherwise be beyond their reach,” Samani and Beek wrote.
The most recent waves of attacks—which began Jan. 23 and is ongoing—draw heavily on malicious code used in 2012, with nearly a 90 percent overlap, Beek said. The campaign still relies on spear phishing emails sent to carefully selected individuals to get the initial foothold into the network.
Other commonalities between the campaigns include the fact that the date the system will be wiped is hard-coded in the malware, and the wiping generally happens during off-hours or holidays to make it harder for victim organizations to notice what is happening until it is too late. The malware also is hard-coded with the command-and-control infrastructure information, as well as the network and system credentials obtained during the spear-phishing portion of the campaign. This puts a lot of work on the coordinating actor since every target needs its own malware variant.
However, there are key differences. The initial 2012 attackers emphasized speed—moving quickly into the network to wipe the machines and disappearing after inflicting system-wide damage—because they were novices and needed to get out before being caught. The initial campaign used scanning tools and a pirated copy of the penetration testing tool Acunetrix Security Scanner to look for vulnerabilities, then uploaded webshells to establish remote access and harvest usernames and credentials. McAfee researchers said the noisy scanning and hunt for exploits indicated they were hoping for a lucky shot instead of having a detailed plan of attack.
The current wave of attacks showed more sophistication, with well-prepared spear phishing attacks that uses spoofed domains and weaponized documents, remote backdoors to establish persistence, and PowerShell scripts to carry out operations. The attackers could take their time gathering intelligence and save the wiper capability for when they were done extracting all valuable pieces of information, as the final act of sabotage.
Even with the change in style, there are enough similarities to suggest the attacks are the work of a single coordinating actor, who is getting better at developing more sophisticated campaigns, not multiple groups independently using similar tools. The actor is adding new capabilities and training other groups on how to execute the attacks.
The members of the group that worked on the 2012 campaign have moved on to other groups and attacks, and new members have been recruited and trained, Beek said. The latest attacks have “greater technical expertise,” but the overall campaign details suggest that some of the members don’t have the same level of technical expertise as others.
McAfee researchers found artifacts in malware that “normally would be removed” by a more skilled group. While the initial attacks were executed by one single group in 2012, the current wave involve multiple groups, which explain some of the operational mistakes the researchers found.
As long as the coordinating actor keeps up with the investment, attack refinement, and training, the individual hacking groups will be able to execute their parts of the attacks, which means the destructive Shamoon attacks will continue, Beek said.
Beek suggests the Shamoon malware was a “cyberweapon that had been sitting on the shelf” since 2012 and was brought back for 2016 and 2017 campaigns because “it worked so well the last time.”
What’s even more concerning is that the collaboration doesn’t go only one way, with the coordinating actor teaching the techniques to the attack groups. The actor is learning from other groups as well. The latest Shamoon code appears to have borrowed the macro code previously used by hacking group Rocket Kitten in spring 2016 and the Visual Basic Script code running PowerShell that was used in the 2015 Oil-RIG cyberespionage campaign. Other security researchers have linked Rocket Kitten and Oil-RIG to Iran.
Reuse of infrastructure such as DNS tunneling to hide communications with the command-and-control servers and other common tricks are increasingly common. Anyone can get access to tools, tactics, knowledge, talent, and infrastructure, if they know who to ask.
Within the five-year period between the initial Shamoon attack and these latest attacks, the “likely” nation-state actor has grown in cyberoffensive capacity and skills, McAfee warned. This also means that there are now more malicious adversaries who know these tactics and are capable of using these sophisticated tools.
“There is no indication that the attackers will not come back again, and, as this latest Shamoon ‘reboot’ has shown, they will come back bigger and stronger again, and again,” Beek and Samani warned.