Shamoon Malware and SCADA Security – What are the Impacts?
Ed. Note: This is a significant update to an article first published on Sept 25, 2012. The original article is available as a download in Related Links.
The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region. It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct!) workstations of Saudi Aramco (and who knows how many more at other firms).
Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”
What does Shamoon mean for SCADA and ICS Security? Hold that thought for a few paragraphs…..
Saudi Aramco’s headquarters complex. This is one of the sites where workstation hard drives were wiped clean by the Shamoon virus. Photo: Wikipedia
What is Shamoon?
First publicized on August 16, 2012 by Symantec, Kaspersky Labs, and Seculert, Shamoon was introduced into Saudi Aramco by a disgruntled insider that had full access to the system. It took control of an Internet connected computer and used that computer to communicate back to an external Command-and-Control server. It also infected other computers running Microsoft Windows that were not Internet connected. This type of malware is called a “botnet” which is a collection of compromised computers under the control of a single individual or group.
The name Shamoon comes from a folder name within the malware executable:
While the significance of the word “Shamoon” is not known, it is speculated that it is the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.
Symantec describes Shamoon as having 3 components:
1. Dropper – the main component and source of the original infection. It drops components 2 and 3 onto the infected computer, copies itself to network shares, executes itself and creates a service to start itself whenever Windows starts.
2. Wiper – this is the destructive module. It compiles a list of files from specific locations on the infected computers, erases them, and sends information about the files back to the attacker. The erased files are overwritten with corrupted jpeg files, “obstructing any potential file recovery by the victim”1.
3. Reporter – this module sends infection information back to the attacker’s central computer.
While all of this sounds sophisticated, expert analysis (Kaspersky Labs) concluded, due to a number of errors found in the code, that the developers of Shamoon are “skilled amateurs”. They are not in the same league as the sophisticated coders of Stuxnet and Flame.
What Damage did Shamoon do?
On August 15, 2012 Saudi Aramco posted on its Facebook page that
“…the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network."
"Shamoon [the virus] spread through the company's network and wiped computers' hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations."
“You don’t destroy 30,000 workstations without causing a vast amount of damage. It might be possible that the attack didn’t directly hit oil production or harm the flow of oil out of the ground. No one I’ve spoken to has suggested it did, but it’s clear that if the company's statement is true then Aramco used a very strict reading of the phrase “oil production.”
Mr. von Hoffman went on to question the Saudi Aramco statement that all damage had been repaired by Aug 26th. He also wonders, in the days of oil and gas projects being dominated by joint ventures, how other energy companies’ computers could not have been damaged by Shamoon.
Indeed, Leon Panetta, the U.S. Defense Secretary recently described Shamoon as the most destructive attack the business sector has seen to date and a “significant escalation of the cyberthreat.”
Jim Lewis, a computer expert at the Center for Strategic and International Studies (CSIS) in Washington added “There is a really significant dollar cost to this attack. The computers were out for as much as a week and had to be replaced.”
Saudi Aramco’s Uthmaniyah gas plant, like other of the companies production sites were apparently unaffected by the Shamoon malware. Photo courtesy of: Saudi Aramco.
Who Created Shamoon? Why did they do it?
It is now known that the attack was initiated by a disgruntled insider, an Aramco employee, “an extraordinary development in a country where open dissent is banned” who may have been working with the Iranian government.
Bloomberg attributes the attack to a single perpetrator who did not have the skills to do advanced coding or attack the company’s oil production sites. Their view rests on the fact that the forensic analysis of the code does not show advanced elements that typically suggest a nation state perpetrator. The motive in this case is believed to come from the disenfranchised Shiite minority in Saudi Arabia’s eastern province.
However, ISSSource describes how “Iran’s Cyber Army” has been building up its capability over time and attributes the attack to Iran working with an insider. It also puts forward two theories about why the Iranians might have instigated it.
One theory is that the attacks were motivated by “deep wrath” at the Saudi government because of:
a. The mistreatment of the Shiites by Saudi Aramco.
b. The Saudi government’s assistance to Sunni factions in Syria and Bahrain.
The other theory is that the attacks are retaliatory measures against the U.S. for:
a. Stuxnet, the U.S-Israeli backed malware that disrupted Iran’s nuclear enrichment program and
b. Payback for the severe U.S.-imposed sanctions that have sent the Iranian economy into a tailspin.
What does Shamoon have to do with SCADA and ICS Security?
Shamoon was a destroyer of data on workstations of energy companies in the Arabian Gulf. There is no evidence that it had any impact on SCADA or ICS systems.
What does it mean for automation professionals? The good news is that like Stuxnet, Flame and Duqu, Shamoon was highly targeted. But the bad news is that it is another indicator that industry, especially the energy industry is now a target.
Therefore, if you want to act now to prevent the extent of damage that Saudi Aramco experienced with this attack, see the list of mitigations put forward by US-CERT.
Also, you might want to update your risk assessments. Of great concern is the fact that this attack lowers the bar for effective disruption of a business. One or more people with skills slightly better than amateurs and a relatively low level of effort were able to penetrate a well-protected network and destroy massive amounts of data (albeit with insider access). In addition, they did it at a scale and speed that is unprecedented.
Imagine the damage that could be done if any group of people with an axe to grind against your organization activates a similar attack against you? The success of Shamoon is sure to attract copycats. This rouses the kind of fear we have when we think of terrorists getting their hands on nuclear weapons. No rules of engagement apply!
Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is facing increased threats and SCADA and ICS systems are part of that world.
What are your thoughts on Shamoon? Does its discovery impact your security strategy?
Related Content to Download
Presentation - "Unicorns and Air Gaps - Do They Really Exist?"
• Securelist.com, Blog: Shamoon the Wiper Copycats at Work
• Symantec Blog: The Shamoon Attacks
• NYTimes.com, Webpage: Saudi Oil Producer’s Computers Restored After Virus Attack
• Nationalpost.com, Webpage: Insiders suspected in massive Shamoon virus cyber-attack that wiped 30K Saudi oil company computers
• Securelist.com, Blog: Shamoon The Wiper: further details (Part II)
• CIO.com, Webpage: 'Shamoon' Virus That Devastated Saudi Oil Co. Likely to Have Done More Damage
• Huffingtonpost.com, Webpage: 'Shamoon' Virus Most Destructive Ever to Hit a Business, Leon Panetta Warns
© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand