Notorious OT threat Shamoon returned with its third iteration in December, wiping the disks of hundreds of computers in an attack that started at oil giant Saipem.
Shamoon 3: Here’s What Happened
Over the last 7 years, the notoriety of disk-wiping malware “Shamoon” (also known as “Disttrack”) has grown. It has been implicated in three waves of attacks against the enterprise systems of operational technology companies, increasing its scope and geographical reach with each iteration. Its most recent attack was also its most destructive. Following on from incidents in 2012 and 2016/7, the December 10 attack is, for now at least, shrouded in a slight air of mystery, with forensic specialists yet to publicize many of the relevant details surrounding the event. This means that we don’t yet know the identity of the malware’s point of ingress to the first reported victim, oil giant Saipem.
What we do know is that its impact was felt around the world. It removed all data from several hundred Saipem computers across Saudi Arabia, the UAE, Kuwait, India and Scotland, replacing the data with garbage and rendered the systems useless when they rebooted in an unrecoverable state. We also know that the first victim in 2012 was the massive state-owned Saudi Arabian oil company Saudi Aramco; the fact that they are also Saipem’s biggest customer should raise some eyebrows.
How Shamoon Works
All variants of Shamoon to date rely on a hard-coded list of machine names to spread. What this means is that the data threat is tailored to its victim using information obtained beforehand. Inferences drawn from first-wave artifacts have pointed to a successful phishing event in mid-2012 as Shamoon’s gate key to Saudi Aramco.
In all reported cases, an evasive dropper has introduced and decrypted files while installing a Windows service called MaintenaceSrv (whose misspelling has been a boon to detection and attribution over the years). One of those files is the wiper component, which wreaks havoc before issuing a standard”shutdown -r” command to restart the now debilitated machine for the final time.
The Threat is Evolving
Though Shamoon’s basic MO remains constant, its latest variant shows that it’s becoming more malevolent. It has exploited its modularity to plug in a separate program known as Filerase to perform the bulk of the wiping work. This gives it access to disk data at a lower and, therefore, less retrievable level than previously possible with Shamoon’s built-in functionality. All variants also contain a reporting module that sends information about the malware’s progress to the attacker. Although very little has so far been made of its capability as a possible exfiltration vector, it’s worth being aware of.
Combining all the facts leads to the conclusion that there is a purely attritive motive behind the malware, something which is still relatively uncommon in high profile attacks. Additionally, the module that handles Shamoon’s wormlike spread can be activated at will; something that notably didn’t happen in the December attack.
Shamoon has also started targeting a wider range of industries. While it previously confined its reach to oil companies, it has spread through gas, energy, telecom and government organizations.
The Impact of Shamoon 3
The full impact of the December attack on Saipem is still not completely understood. A blog on the firm’s website announced that no data was stolen or lost (all wiped data could be retrieved thanks to backups) and that Saipem doesn’t expect to lose any revenue. But if Shamoon 1 was any indication, even an operation with proper OT/IT segregation in place can suffer by degrading crucial IT and communication systems or making them inoperable for weeks at a time.
Although oil throughput was technically insulated from the hardships felt by Saipem’s IT team, it is still likely that the oil giant was functionally disrupted: its business interface with the outside world was effectively crippled for the duration of the attack and its aftermath.
How to Mitigate Shamoon’s Risk
Because Shamoon renders hard disks completely useless, reactive mitigation is out of the question. However, defense against Shamoon is possible. This is thanks in part to how much consistency there is between the malware’s different versions and also how high profile it has become. These features make it detectable by modern security appliances with up-to-date definitions and rules.
Indeed, a proactive approach to data security per se was undertaken by both of the aforementioned large-scale victims of Shamoon in the form of critical systems having available backups and isolating their production systems. But the attack still made it through. They would have had an additional layer of protection and increased opportunity to secure the attack surface if they had full visibility of their environment. Combine that level of knowledge with full contextual awareness of the threats facing their organization, and they would have been more able to more effectively manage their vulnerabilities.
The moral of this chapter of the Shamoon story? There is a desperate need for organizations with OT components to have defense in depth in order to suitably protect critical resources.
Zero-Day Attack on Russia Prompts OOB Patches – How Microsoft and Adobe scrambled to fix an exploit in Flash Player
MikroTik Routers Infected in Mass-Scale Coinhive Cryptojacking Campaign – Coinhive malware wreaked havoc in August 2018; we explain how and why it spread so quickly