Ongoing Shamoon Malware Attacks Linked to Greenbug Cyber Espionage Group

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Symantec researchers say they're investigating links between the Greenbug cyber espionage group and a new series of Shamoon malware attacks in the Middle East.

The malware, which was first uncovered in 2012 attacking energy companies in Saudi Arabia, overwrites files and the Master Boot Record (MBR) of infected machines, leaving infected devices unrecoverable. It resurfaced in November of last year, again hitting similar targets.

The Symantec researchers note that the malware "required other means to be deployed on targeted organizations' networks and is configured with previously stolen credentials." It's possible, they suggest, that Greenbug may have been responsible for acquiring those credentials.

"Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors," the researchers write. "The group uses a custom information-stealing remote access Trojan (RAT) known as Trojan.Ismdoor as well as a selection of hacking tools to steal sensitive credentials from compromised organizations."

Notably, the Greenbug group, which Symantec says has exclusive access to the Trojan.Ismdoor malware, compromised at least one administrator's computer in a Shamoon-targeted organization's network prior to the Shamoon malware being deployed in that network on November 17, 2016.

Between June and November of 2016, Symantec reports, the Greenbug group used phishing attacks to target organizations involved in aviation, government, investment and education in Saudi Arabia, Iran, Bahrain, Iraq, Qatar, Kuwait and Turkey.

CrowdStrike vice president Adam Meyers told Reuters that the Shamoon attackers appear to be working on behalf of the Iranian government. "It's likely they will continue," he said.

And earlier this week, Reuters reports, Saudi Arabia's telecommunications authority warned companies to be on the alert for Shamoon attacks.

On January 23, the Saudi chemical company Sadara tweeted, "Sadara has experienced a network disruption this morning, and are working to resolve it. Our operations have not been affected." Two days later, the company followed up by tweeting, "Sadara's network disruption was a result of cyber attack experienced by multiple entities in KSA as announced by the regulatory authorities."

Moshe Ben-Simon, co-founder and vice president of TrapX Security, told eSecurity Planet that according to his company's research, Shamoon has destroyed more than 30,000 systems since 2012. "Shamoon and other recent cyber attack tools are, simply put, advanced [forms] of weaponized malware," he said. "Shamoon is part of the larger trend we see for nation states and political motivated groups to release purpose specific weaponized malware to stop the ongoing operation of targeted military and government agencies by destroying their IT infrastructure."

"Shamoon, like many other sophisticated weaponized attack tools, has been crafted to hide from discovery and protect itself from standard cyber defense such as sandbox analysis," Ben-Simon added. "New best practices and the technologies that support them, such as the use of deception, are required to detect and observe Shamoon’s lateral movement early in the attack cycle. Once the weaponized Shamoon malware is identified, use your network access control (NAC) to immediately isolate offending endpoints and compromised resources."