McAfee: Wave of Shamoon cyberattacks coordinated by a single group


The waves of cyberattacks that have rocked Saudi Arabia over the past few months are linked to the earlier Shamoon attacks. However, the initial 2012 attack was the work of a single group, whereas the latest attacks have been carried out by different groups of varying skills and expertise, all following instructions provided by one malicious actor, McAfee researchers have found.

Researchers at McAfee Strategic Intelligence believe the 2012 Shamoon attacks against Saudi Arabia’s state-run oil company Saudi Aramco and Qatari natural gas company RasGas, the attacks last November against Saudi organizations, and the latest attacks are the work of hacker groups supported and coordinated by a single actor, not by multiple gangs operating independently, said McAfee principal engineer Christiaan Beek and McAfee chief scientist Raj Samani. 

Though Shamoon has focused on Saudi Arabia, it is important to remember that system-wiping campaigns aren’t unique to the Middle East. Malicious actors can obtain technologies from the black market or contact other groups directly to learn new techniques. Malware and attack capabilities aren’t like guns, where there is a physical limitation on who can possess them. They can be shared, and once a technique is available, it becomes widespread.

The 2016 and 2017 campaigns are a lot bigger and more sophisticated in execution, and they’re causing far more damage, which suggests the attackers have learned new techniques and are collaborating with other groups.