Kill timer found in Shamoon malware suggests possible connection to Saudi Aramco attack

Shamoon's disk-wiping functionality was set to activate at the exact time when hackers claim to have attacked Saudi Aramco

A timer found in the Shamoon cyber-sabotage malware discovered last week matches the exact time and date when a hacktivist group claims to have disabled thousands of computers from the network of Saudi Aramco, the national oil company of Saudi Arabia.

"We penetrated a system of Aramco company by using the hacked systems in several countries and then sent a malicious virus to destroy thirty thousand computers networked in this company," a group called the "Cutting Sword of Justice" said in a Pastebin post on Aug. 15. "The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 AM (Local time in Saudi Arabia) and will be completed within a few hours."

That same day, Saudi Aramco confirmed that some sectors of its computer network were affected by a computer virus that infected workstations used by its employees. However, the incident did not impact the oil production operations in any way, Aramco said at the time.

The news was followed by announcements from several antivirus vendors including Symantec, McAfee and Kaspersky Lab about the discovery of a new destructive piece of malware called Shamoon or Disttrack.

Shamoon contains a so-called wiper module designed to overwrite files from certain directories and the hard disk drive's Master Boot Record (MBR) -- a special region of the disk that contains information about its partitions.

Given the similarities between Shamoon's functionality and the hacktivist group's description of the Aramco attack, there is speculation that the malware might be responsible for the Saudi Arabian company's recent computer problems.

Some other bits of information also pointed in this direction, like Symantec's statement that the malware was used in a targeted attack against an unnamed organization from the energy sector or that a path string found inside the malware included a directory called "ArabianGulf."

However, the most convincing piece of evidence found so far consists of a timer that activates the malware's file and MBR wiping functionality.

"The dropper determines whether a specified date has come or not," Kaspersky Lab researcher Dmitry Tarakanov said Tuesday in a blog post. "The hardcoded date is 15th August 2012 08:08 UTC."

This coincides with the exact time and date when the "Cutting Sword of Justice" hackers claimed the so-called destruction of Aramco computers began -- Wednesday, Aug 15, 2012, at 11:08 a.m. local time in Saudi Arabia (UTC+3:00).

"This is only one indication that the events could possibly be related, and that's only if the Pastebin posting is legitimate," Kaspersky Lab chief security expert Alexander Gostev said Thursday via email. "At this time there is not enough concrete evidence to connect the two events."

Other details don't match up. For example, an internal network IP address used by the Shamoon samples analyzed by antivirus vendors was not present in a list of Aramco internal IP addresses released in a separate Pastebin post by the hackers on Aug. 17.

"This might mean that those samples are part of an attack on a different entity," Aviv Raff, the chief technology officer at security firm Seculert, said Thursday via email. "Or, this is indeed part of the attack against Aramco, but the attackers decided not to share this IP address in the pastes."

In yet another Pastebin post published Wednesday, possibly by the same hackers, they threaten to attack Aramco a second time on Aug. 25 at 21:00 GMT, Raff said.

In its original announcement, the "Cutting Sword of Justice" hacktivist group said that it targeted Aramco because it is the main financial source for Saudi Arabia's Al Saud regime, which the group claims supported oppressive government actions in countries like Syria, Bahrain, Yemen, Lebanon or Egypt.

However, not everyone is convinced by its alleged anti-government-oppression agenda. "I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Armaco from increasing its oil production to compensate for Iran's decrease in oil deliveries due to sanctions imposed on it by the U.S. and European Union," cybersecurity expert and analyst Jeffrey Carr said Tuesday in a blog post.

"Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past during Operation Cast Lead (Ashianeh Security Group)," Carr said. "Other well-known and highly skilled Iranian hackers include the Iranian Cyber Army and ComodoHacker."

"During our analysis of the Shamoon malware we noticed an error in the data comparison routine," Kaspersky's Gostev said. "In our experience, such programming errors are not commonly found in sophisticated cyber-weapons; however, we currently do not have enough tangible evidence to determine what type of threat actors or groups were behind Shamoon."

Back in April, computers from Iran's oil ministry were also attacked using a piece of malware with data-wiping functionality. That malware has never been identified, but Kaspersky Lab researchers concluded last week, based on known technical details, that Shamoon was most likely not involved in those attacks.

However, Shamoon might be a copycat of the wiper malware used in Iran that was created by hackers inspired by that incident, the Kaspersky researchers said at the time.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place