In November 2016, we published a blog that drew comparisons between samples that we had received to that of the 2012 ‘Shamoon’ campaign. Since November, there has been a considerable amount of research corroborating our initial assertions, which we have reviewed against our own continuing analysis. We found that the latest Shamoon campaigns are attacking a wider range of organizations, they are connected to other notable campaigns, and the increase in sophistication suggests investment, collaboration and coordination beyond that of a single hacker group, but rather that of the comprehensive operation of a nation-state. This blog, and the technical details (also now published) is a summary of our continued research into the comparison and growth of the attacks from 2012 – 2017.
A wider group of targets
In the original campaign, the targets were predominantly focused on the energy sector within Saudi Arabia. In the current instance, we have evidence that the scope of targeted verticals has widened from energy to the public sector, financial services, and others. Although the scope of targets has widened, all the samples we received targeted organizations in Saudi Arabia.
The approach taken by the attackers was all too familiar: once a target was identified, they used spear phishing email as the initial entry vector. From as far back as September 2016, the attackers sent these emails to individuals within target organizations. The messages contained Microsoft Office files embedded with macros, which facilitated back-door access to the organizations. With the necessary reconnaissance concluded, the actors initiated the weaponization of the attack with the intention of disrupting key organizations across Saudi Arabia:
- Attack Wave 1: Wipe systems on November 17, 2016, at 20:45 Saudi time.
- Attack Wave 2: Wipe systems on November 29, 2016, at 01:30 Saudi time.
- Attack Wave 3: Began January 23, 2017, and ongoing, with similar samples and methods and TTPs as in Waves 1 and 2.
The process of wiping infected systems loaded a different image to the original campaign, but with the same devastating effect. The scale of attack—with multiple waves of attacks—suggests a coordinated effort to disrupt a nation that is new compared to the previous campaign.
Links to other campaigns
The linkage to the previous campaign was based on the fact that much of the code was the same; indeed our assessment concluded that there was a 90% reuse of code from the 2012 attacks. However, our examination of this reuse of code led us to identify code from other attack campaigns. For example, code used in the macros from the latest spear-phishing campaign was seen in attacks conducted by the Rocket Kitten hacking group, and the infrastructure used we identified as that used by the Oil-RIG campaign.
Although the current attackers may have connections with a particular nation-state, our analysis focused on the notable increase in the technical expertise since the 2012 campaign. For example, in 2012, the actors moved quickly in and out of the victim network, inflicting system-wipe damage and then disappearing. In 2016, the actors penetrated networks and established remote control to gather intelligence for future planned wiping attacks.
A broader community of collaborators
Based on these and other key differences, we strongly believe that the 2016-17 campaigns benefitted from the development effort of a much wider community of collaborating hacking groups. The recent attacks demonstrate greater technical expertise, yet the wide-ranging nature of the campaign involved many other actors that did not necessarily have the same level of technical expertise as other participants. Poor Operational Security procedures suggest that some parts of the attacks were executed by less experienced operators. Furthermore, it is true that malware can be designed to contain indicators that attribute their attacks to other actors.
Based on our years of investigation into the Shamoon attacks, we do not believe this misdirection tactic was used in the cases we examined.
Though we can argue about the term sophistication, one thing is clear. This campaign was significantly larger, well-planned, and an intentional attempt to disrupt key organizations and the country of Saudi Arabia.
Attacks on banks in East Asia and on corporations remind us that cyber espionage and system-wiping campaigns are not unique to the Middle East. Rogue state and stateless actors have been known to use similar cyber tools and tactics to achieve military and intelligence objectives they would otherwise be unable to accomplish. Actors such as these have been known to obtain these and other technologies from the black market, if not from each other directly.
To that end, there is no indication that the attackers will not come back again, and, as this latest Shamoon ‘reboot’ has shown, they will come back bigger and stronger again, and again.
Note: We wish to acknowledge the efforts of McAfee’s Advanced Programs Group for that team’s extensive contributions to the actor and adversary part of this research.
For details on this research, please see the McAfee Strategic Intelligence technical blog in Executive Perspectives.