Saudi Arabia is warning organizations of a wave of Shamoon 2 attacks

Pierluigi Paganini January 25, 2017

Saudi Arabia is warning organizations in the country of a resurrection of the dreaded Shamoon malware.

A new strain of the Shamoon 2 malware was spotted by the security experts at Palo Alto Networks, this variant targets virtualization products.

Shamoon, also known as Disttrack, was first spotted in a wave of attacks that targeted companies in Saudi Arabia in 2012. Among the victims, there was the petrol giant Saudi Aramco and RasGas Co Ltd.

In the 2012 attacks, threat actors used images of a burning U.S. flag to overwrite the drives of victims.

The principal capability of Shamoon is a feature that allows it to wipe data from hard drives of the infected systems.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.

On Monday, the Saudi Arabian labor ministry revealed it had been attacked and also a chemical firm reported a network disruption.


A state news agency confirmed the attack against the labor ministry, but excluded any impact on the data.

The Reuters agency also revealed that the telecoms authority is inviting all parties to be vigilant for the spreading of a new version of the malware, the Shamoon 2.

According to security experts, the threat actor behind the Shamoon attacks was likely working on behalf of the Iranian government in 2012.

“The Shamoon hackers were likely working on behalf of the Iranian government in the 2012 campaign and the more-recent attacks, said Adam Meyers, vice president with cyber security firm CrowdStrike. “It’s likely they will continue,” he said.” reported the Reuters.

The State-controlled Al Ekhbariya TV confirmed that multiple Saudi organizations had been targeted in recent string of cyber attacks.

The Sadara Chemical Co, a joint venture firm owned by Saudi Aramco and Dow Chemical, confirmed it had suffered a network disruption on Monday morning. The experts at the company are still working to resolve the problem.

As part of the incident response, the company had stopped all services related to the network.

The Reuters said that other companies in petrochemicals Jubail hub also experienced network disruptions.

“Those companies sought to protect themselves from the virus by shutting down their networks, said the sources, who declined to identify specific firms.” states the Reuters.

Saudi Arabia Computer Emergency Response Team (CERT)’s Abdulrahman al-Friah confirmed to Al Arabiya that at least 22 institutions were affected by the wave of Shamoon attacks.

“We cannot definitely determine the financial costs of such breaches yet as it depends on each institutions platform. Websites which sell and buy will obviously be affected the most,” Fiah said.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Shamoon 2, Saudi Arabia)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment