Naming the recent data-wiping attacks in Saudi Arabia as a continuation of the Shamoon campaign suggests that we are dealing with identical malware and procedures. However, there are fundamental differences between the campaigns of 2012 and 2016‒17, and these differences provide a fascinating insight into the development process of the attackers.
When we look at this campaign from a high level (preceding image) and at the shared characteristics (in red), we find quite a lot in common. Let’s examine in more detail:
When we look more closely into the phases of the cyberattack “kill chain,” and their modus operandi, we see differences that lead to more questions, as well as interesting findings.
In the reconnaissance phase of the 2012 attacks, the adversaries used scanning tools and a pirated copy of penetration-testing software Acunetix Security Scanner to find possible vulnerabilities on the victims’ outward-facing servers. An example of this scanning follows in an excerpt from an intrusion detection system log:
After finding a possible exploit, the adversaries uploaded web shells to gain remote access and used the web shells’ functionality to harvest usernames and credentials.
In analyzing attacks, we look at the capabilities and skills actors use. In examining how well an adversary knows its target and infrastructure, we classify this type of noisy scanning and hoping for an exploit as novice behavior. The attacker is hoping for a lucky shot instead of gathering detailed information during the reconnaissance phase.
In the 2016 attack, the reconnaissance phase consisted of spear-phishing attacks, with well-prepared spoofed domains and documents falsified as from certain trustworthy corporate and public-sector organizations. These documents were weaponized with malicious macros to download and execute a variety of backdoor threats. From 2012 we know publicly of two major attacks on victims in the petrochemical industry. In 2016‒17 the attacks were focused on multiple sectors including public, petrochemical, finance but were intended to disrupt a single country: Saudi Arabia.
Once the adversaries gathered the credentials needed to weaponize the wiper malware component, they generally used accounts that would give the right amount of privileges to spread the malware as far as possible through the network. One interesting difference was that in the 2012 case that attackers also inserted default credentials of industrial control systems (ICS) equipment. Clearly the attack was aimed not only at the victims’ office networks but also attempted to disrupt the ICS environments.
In both cases, when the hardcoded date was reached, the wiper started to erase the disks. In 2012 the wiped machines reported to an internal control server that the destruction was a success. In the 2016 Shamoon samples, we found a control server component but to our knowledge it was not used to track the status of destruction.
In one URL parameter (also mentioned by our peers in the industry analyzing this campaign) we find an interesting word:
The word shinu can be translated to “what?” in Persian Gulf Arabic slang or “listen” in Farsi.
Until now we have compared the 2012 and 2016‒17 attacks. During our investigation and those by our peers in the industry, we have discovered many relations to other campaigns that used the same domains, whois registrants, or code. One of the examples we found was the reuse of code and exploits used in an attack by the Rocket Kitten group in spring 2016 and its reappearance in the 2016 Shamoon attacks.
A code excerpt from a macro used by Rocket Kitten since spring 2016:
A code excerpt from a macro used in a spear-phishing attack by Shamoon in 2016:
Our peers mentioned some other artifacts that referred to the OilRig campaign, in which Saudi Arabian organizations were targeted using Excel documents that included macros. The macros’ VBS code ran PowerShell and communicated via DNS tunneling.
From an operational security perspective—“How well do the attackers hide details or information about themselves?”—we gave them a low score in both campaigns. Although we saw some manipulation on purpose, for example, the resource language in the 2016 wiper was Yemeni Arabic (likely a reference to the political conflict in the region), and the “wiping picture” accompanied by a photo of the dead Syrian boy on the beach. Still plenty of information was left behind, for example, the reuse of infrastructure and code as well as program database paths in the malware that normally would be removed.
From a risk-analysis perspective, we would give the 2012 adversaries a certain score based on factors such as stealth, operations security, precision, and other factors. If we were to do the same for the 2016‒2017 attacks, we would award a higher score. For example, the attack precision increased due to using spear phishing with payloads instead of using noisy scanning and web shells. Also, the time of persistence in the networks increased compared with that of the 2012 attacks.
Due to the large scale of the attack in 2016‒2017, we saw mistakes in maintaining operational security. We strongly believe that this was caused by the involvement of different groups/individuals with different skills, whereas in 2012 we believe one group was responsible for the attack.
With five years between the attacks, we have likely seen a nation-state actor grow in cyber-offensive capacity and skills. Where once pirated software was used for vulnerability scanning, which can be easily detected by intrusion detection or prevention systems, we now find targeted spear phishing with weaponized documents. And instead of batch scripts, the use of PowerShell scripts and DNS tunneling demonstrates a major increase in the attackers’ expertise.
Note: We wish to acknowledge the efforts of McAfee’s Advanced Programs Group for that team’s extensive contributions to the actor and adversary part of this research.