Shamoon disk-wiping malware resurfaces with renewed cyberattacks on Saudi Arabia
. Airport operations, air travel and navigations systems were effectively brought down by the Shamoon malware iStock

The powerful disk-wiping malware Shamoon is back from the dead after four years, with renewed attacks launched at Saudi Arabia. Security researchers have uncovered a new variant of the Shamoon malware, which targeted several major Saudi organisations in a mid-November attack campaign, marking the return of one of the most effective malware strains in the wild.

According to security researchers, the cyberattack appears to be "carefully planned" and successfully targeted thousands of computers at Saudi's General Authority of Civil Aviation headquarters, according to Reuters. Airport operations, air travel and navigations systems were effectively brought down by the Shamoon malware, with operations shut down for days, Bloomberg reported.

Synack director of research Patrick Wardle told IBTimes UK: "The malware was designed to spread to as many computers as possible, then 'destroy' the computer by corrupting an essential part of the computer's software, the master boot record. The malware's end goal was to make as many computers as possible, unbootable, i e basically useless. Note this isn't a hardware attack (the systems could simply be re-installed), and data on the systems could likely still be recovered. Though the malware is rather amateur and not really stealthy at all, it appears to have been effective, thus we can't judge its inelegance too much!"

Shamoon 2012 vs 2016 attack

The malware was first discovered after nearly destroying 35,000 computers at the oil company Saudi Aramco were destroyed by it. The hackers behind the original malware left an image of a burning US flag on corrupted devices in the 2012 attack.

However, according to security researchers, the hackers behind Shamoon 2.0 appear to have altered their calling card, this time, leaving an image of the body of three-year-old Syrian refugee Alan Kurdi, who drowned in 2015, while he and his family attempted to flee to Europe.


Crowdstrike Co-founder and CTO Dmitri Alperovitch speculated that the current geopolitical situation may have sparked the recent Shamoon attacks. He said in a blog: "While the precise motives in this most recent November incident are currently unclear, the attacks coincide with multiple geopolitical events impacting the Gulf countries, as well as recent industry developments within Saudi Arabia itself.

"Previous usage of Shamoon against Gulf Cooperation Council (GCC) targets is believed to have been driven by Iranian intelligence requirements stemming, at least in part, from international sanctions activities impacting the country's economy. The November 2016 incidents came ahead of the 171st meeting of the of the Organization of the Petroleum Exporting Countries (Opec) conference in Vienna, where consensus was reached on the implementation of first oil production cuts in 8 years."

Referring to the NSA's acknowledgement of Iran possibly being behind the 2012 Shamoon attacks, Wardle said it was "quite likely" that the same perpetrators may also be behind the rebirth of Shamoon.

He added: "It seems fairly reasonable to assume that the same attackers were behind both attacks. I think its no secret the the Iranians and Saudis aren't the best of friends for a variety of religious, economic, and other geopolitical reasons. Unless deployed as a precursor to a traditional military strike (i e taking down the power grid before a ground invasion) deploying such malware is really just a short-term destructive move, designed to cause disruption."

How it happened

According to security researchers, the new variant of Shamoon shares several similarities with the original strain. Like its predecessor, Shamoon 2.0 also uses stolen administrative credentials to gain entry and attempts to spread across other devices in the network. According to Palo Alto security researchers, this technique "suggests that the threat actors had previous access to the network or carried out successful phishing attacks prior to the attack".

Wardle speculated that the hackers may have gained access to admin credentials via "a previous hack, or phishing".

He added: "But once they had these credentials, its pretty much game over. Specifically with such credentials its trivial to deploy malware and infect a domain."

It is still unclear as to how many devices and organisations were affected by the new wave of Shamoon attacks. Despite the various theories and speculation about the motive and attribution of the attacks, the Saudi government is yet to comment further on the incident.