Kaspersky Lab says a coding error makes it unlikely the developers of the Shamoon malware are linked to a previous attack on Iranian systems earlier this year.
Evidence has surfaced linking the Shamoon malware attack to
a group of hacktivists who claim that they are protesting oppression in the Arab
Eugene Kaspersky, CEO of Kaspersky Lab, confirmed in a tweet
Aug. 22 that
the date and time hardcoded into Shamoon matched the date and time of an attack
on Saudi Aramco, Saudi Arabia's national oil company, mentioned in a Pastebin
post by a group going by the name "Cutting Sword of Justice."
"In the first step, an action was performed against
Aramco company, as the largest financial source for Al-Saud regime," the group wrote
, stating that the
attack would begin Aug. 15 at 11:08 a.m. local time in Saudi Arabia. "In
this step, we penetrated a system of Aramco company by using the hacked systems
in several countries and then sended [sic]
a malicious virus to destroy thirty thousand computers networked in this
As a result of the attack, Aramco said it isolated all of
its electronic systems from outside access as a precautionary measure.
Kaspersky researcher Dmitry Tarakanov noted
in a blog
post that while that particular date and time is hardcoded in
Shamoon, the function to check the date does not work correctly.
"If the intention is to divide the timeline into
'before' and 'after' a particular checkpoint, then the author has failed,"
he blogged. "The condition contains a corrupted logic to do this."
"For example, if
the year is 2013 but the current month is less than the target month (say
February), then the condition would return a result as if the current date lies
before the August 2012 checkpoint value," he explained. "In fact,
this logic is simply flawed and incorrect. This error indirectly confirms our
initial conclusion that the Shamoon malware is not the Wiper malware that
attacked Iranian systems. Wiper is presumed to be a cyber-weapon and, if so, it
should have been developed by a team of professionals. But experienced
programmers would hardly be expected to mess up a date comparison routine."
Earlier this month, Seculert CTO Aviv Raff explained that
the attackers behind Shamoon seized control of an internal machine connected to
the Internet and used it as a proxy to the external command and control server.
Through the proxy, the attacker infected other internal machines and then
executed Shamoon, "wiping all evidence of other malicious software or
stolen data from those machines."
In a statement today, he added that the IP address of the
proxy server in the Shamoon samples Seculert analyzed is not part of the list
described in a related Pastebin post
"This might mean that those samples are part of an
attack on a different entity," Raff said. "It could also mean that it
is indeed part of the attack against Aramco, but the attackers did not to share
this IP address in the pastes (assuming the details in the pastes are true, of