The prolific Shamoon disk-wiping malware has reportedly resurfaced, targeting several Saudi organisations in recent attacks. The malware's updated 2.0 version has made a comeback, launching targeted attacks against the Saudi labour ministry and a chemicals company, according to reports.
The Saudi telecoms authority issued an alert, cautioning all parties to be vigilant against potential cyberattacks leveraging the Shamoon 2.0 malware, which crippled thousands of computer systems belonging to Saudi oil giant Aramco in 2012, the Saudi Gazette reported.
The Saudi labour ministry confirmed that it was hit by a cyberattack, adding that it did not affect its data. The ministry said its Human Resource Development Fund had also been hit but there was little impact.
Jubail-based Sadara Chemical Co also confirmed that it experienced a temporary network disruption. The joint venture firm owned by Saudi Aramco and US firm Dow Chemcial made the disclosure public about the network disruption, taking to Twitter and adding that it was working to resolve the matter. However, the firm's statement makes no suggestions of a cyberattack having caused the network disruption. The firm clarified that it has halted all network-related services "as a precaution".
According to unspecified sources, other firms in Jubail also experienced network disruptions, Reuters reported. The affected firms allegedly shut down network operations in efforts to protect themselves from further damage caused by the Shamoon malware.
In November 2016, Saudi organisations were targeted by Shamoon as part of a renewed cyberespionage campaign. Security researchers believe that 2012 Shamoon cyberattacks were likely linked to Iranian state-sponsored hackers. According to security firm CrowdStrike's VP Adam Meyers, the recent attacks were also likely launched by the same hackers. "It's likely they will continue," he added.
In December 2016, Saudi Arabia's central bank and aviation authority were also hit by the disk-wiping malware. Although the Saudi central bank claimed that the attack had not been successful in breaching systems, the aviation authority claimed hackers leveraged Shamoon in a "planned" campaign to wipe out "critical data and bringing operations there to a halt for several days".
According to researchers at Palo Alto Networks, the recent Shamoon attacks revealed a new variation involving the malware using "hardcoded account credentials specific to the newly targeted organisation".
The researchers believe that the attackers may have gained access to user credentials in previous attacks and leveraged them in new attacks.
The researchers said: "We analysed a second Disttrack payload associated with Shamoon 2, which suggests that the threat actors targeted a second Saudi Arabian organisation in this attack campaign. The actors used the Disttrack payload to spread to other systems on the local network using legitimate credentials. The legitimate credentials were specific to the targeted organisation and were complex enough to suggest that the threat actors carried out a previous attack to obtain the credentials."