APT

Advanced cyber attack hits Saudi Arabia to disrupt government computers

Saudi Arabia announced to have detected an “advanced” cyber attack targeting the kingdom with the intent to disrupt government computers.

On Monday, Saudi authorities announced to have detected an “advanced” cyber attack targeting the kingdom. According to the experts at the Saudi National Cyber Security Centre, the attackers aimed to disrupt government computers.

The attackers leveraged the Powershell, but at the time of writing Government experts it did not comment on the source of the attack.

PowerShell is extremely powerful and that attackers are increasingly using it in their attack methods. PowerShell is a default package that comes with Microsoft Windows OS and hence it is readily available on the victim machines to exploit.

“Powershell is Predominantly used as a downloader”

The most prominent use of PowerShell, that is observed in the attacks in-the-wild, is to download the malicious file from the remote locations to the victim machine and execute it using commands like Start-ProcessInvoke-Item OR Invoke-Expression (-IEX) file OR downloading the content of the remote file directly into the memory of the victim machine and execute it from there.

Back to the attacks that hit Saudi computers, the NCSC speculates the involvement of an APT that used spear phishing attacks to infiltrate computers in the Kingdom.

“The NCSC has detected a new Advanced Persistent Threat (APT) that is targeting Saudi Arabia,” the agency said in a statement.

Saudi Arabia was targeted several times by APT, the most clamorous attack was conducted with the Shamoon wiper in 2012 against computers in the Saudi energy sector in 2012.

Computers at Saudi Aramco, one of the world’s biggest oil companies, was disrupted by Shamoon in what is believed to be the country’s worst cyber attack yet.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

The first team that discovered the malware was Kaspersky Lab that had analyzed some instances of the threat linked to the “wiper agent” due to the presence of a module of a string with a name that includes “wiper” as part of it.

Early this year, Saudi authorities warned of a new wave of attacks that leveraged the Shamoon 2 malware targeting the country.

In January, the Saudi Arabian labor ministry had been attacked and also a chemical firm reported a network disruption.

According to security experts, the threat actor behind the Shamoon attacks was likely working on behalf of the Iranian government in 2012.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Malware, Saudi Arabia)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Cisco addressed high-severity flaws in IOS and IOS XE software

Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…

12 hours ago

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

19 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

1 day ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

1 day ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

2 days ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

2 days ago

This website uses cookies.