Shamoon attackers with their Disttrack wiper malware have hit Saudi Arabian entities again.
The Saudi government confirmed the latest breaches on Thursday, and for now the identity of only one target has been revealed: the country’s General Authority of Civil Aviation (GACA), which is the national institution in charge of aviation and related matters, as well as the operator of four international and 23 domestic airports within the country.
The GACA has issued a statement regarding the attacks, saying that “because of the security measures that has been taken to protect civil aviation systems, none of the air navigational system, or any major networks in any of our airports, this include our human resources, and financial system, or aviation permits and security badge systems and other airport support and operation businesses was effected.”
GACA’s official website was also never effected, but some of its employees’ desktop PCs have been affected. They have been isolated from the main network. Saudi’s National Center for Cyber Security is helping with the investigation.
Previous Shamoon attacks
The Shamoon attackers hit Saudi Aramco, the national oil company of Saudi Arabia, in August 2012, wiping a large number of systems, including the company’s web and mail servers and their headquarters’ network’s domain controller. A hacker group dubbed Cutting Sword of Justice took credit for the breach.
Then came the attack on Ras Laffan Liquefied Natural Gas Company (“RasGas”), which affected the company’s office systems and website.
The latest attacks, and who’s behind them
Symantec and Palo Alto Networks researchers revealed the attacks against Saudi Arabian entities before the country confirmed them.
Analyses of the malware confirmed that the Disttrack wiper was used, and that this latest variant is “largely unchanged” from the variant used four years ago.
“It appears the purpose of the new Disttrack samples were solely focused on destruction, as the samples were configured with a non-operational C2 server to report to and were set to begin wiping data exactly on 2016/11/17 20:45,” Palo Alto Networks researchers noted.
“In another similarity to Shamoon, this is the end of the work week in Saudi Arabia (their work week is from Sunday to Thursdays), so the malware had potentially the entire weekend to spread. The Shamoon attacks took place on Lailat al Qadr, the holiest night of the year for Muslims; another time the attackers could be reasonably certain employees would not be at work.”
The Disttrack malware uses a commercial kernel driver – RawDisk by EldoS Corporation – to allow the wiper component to begin writing to protected system locations (e.g. the master boot record) and partition tables of storage volumes.
In these latest attacks, the hard disks were overwritten with the well-known photo of Alan Kurdi, a Syrian boy that drowned last year while trying to reach Europe with his family.
“From a functionality standpoint, the wiper relies on EldoS’ RawDisk driver to overwrite files on the system. During this activity, we noticed the wiper changing the system time to August 2012, as the temporary license key for the RawDisk driver requires the system time to not exceed the month of August, which is when the temporary license would expire. This modification to the system time was seen in the previous campaign, and the temporary license key within the wiper component is the exact same as wiper component from the 2012 attacks,” the researchers added.
Like in previous attacks, the malware was configured with legitimate administrator credentials. “The internal domain and credentials appear to be stolen prior to the creation of this tool, as it is not a public domain and the credentials are not weak enough to have obtained through guessing, brute force or dictionary attacks,” they concluded.
It is widely believe that the initial attacks were the work of Iranian hackers, so these latest attacks carry with them the same assumption, but there is currently no proof to definitely point the finger in that direction. And, as all should know by now, attribution of cyber attacks is notoriously difficult, as attackers can easily plant fake evidence and muddy the waters (so to speak).
As an interesting side note: Cisco’s Talos research team has recently open sourced MBRFilter, a tool that aims to prevent a system’s Master Boot Record (MBR) getting overwritten by malware. The tool was created as a response to a variety of ransomware that has this capability, but could also be used to thwart the Disttrack wiper.