Shamoon malware strikes oil industry once again

A new variation on the Shamoon malware has been revealed after the upload of the virus to VirusTotal after an outbreak apparently brought down around ten percent of oil services contractor Saipem’s PC network.

Saipem is an Italian firm specializing in providing services such as drilling and pipeline maintenance to the oil industry, and confirmed the outbreak last week in a press release, stating:

“Saipem informs that today a cyber-attack on its servers has promptly been identified […] We are […] in the process of notifying the report of the incident to the competent Authorities.”

The company’s facilities were affected in the Middle East, Aberdeen (UK) and Italy. Also in the Middle East, a heavy-engineering company in the UAE was hit on December 10, according to cybersecurity specialist Symantec. The Dubai Electronic Security Center (DESC) has put out a warning about the malware this week.

New variant of Shamoon #Wiper has surfaced, 80 percent equal to v1 and 28 percent equal to v2. Detecion in place by most vendors. One of the hashes: 001d216ee755f0bc96125892e2fb3e3a – historical comparison attached. #DFIR #Malware pic.twitter.com/Feo6wheb08

— Christiaan Beek (@ChristiaanBeek) December 11, 2018

Shamoon is a highly dangerous example of malware, which can either wipe data or as in this latest outbreak, replace data en situ with random strings. In 2012 and 2016, Saudi Aramco, Saudi Arabia’s largest oil company was hit by Shamoon, with over 30,000 computers’ contents corrupted.

In those cases, files were replaced with propaganda showing burning US flags amongst other incendiary media, with the source of Shamoon thought to be Iran— an unproven theory based on the etymology of the name.

According to ZDNet, Saipem’s IT staff is looking at RDP as a possible entry point for the outbreak, as the malware in this current guise lacks the ability to spread itself via SMB– the previous instances’ chosen method. Instead, the pattern of spread seems to be an active presence that has gained access to the LAN (thus the finger of suspicion pointing at RDP) and is spreading the virus manually.

ZDNet notes that the ‘trigger date’ of the malware is set to be in the past, which also points to a node-by-node infection pattern, rather than a timed and automated attack.

Head of applied intelligence at Chronicle (an Alphabet company) Bradon Levine told Forbes: “Due to the rarity of the malware and its niche use case, it’s highly likely the malware samples […] were built by the actors that originally developed it in 2012. It isn’t likely to be shared.”

Saipem is Saudi Aramco’s largest foreign contractor, a fact that further binds the malware with its previous history and apparent intentions.