Researchers Say Shamoon Possibly Linked to Attack on Saudi Oil Company

Evidence has surfaced linking the Shamoon malware attack to a group of hacktivists who claim that they are protesting oppression in the Arab world.

Eugene Kaspersky, CEO of Kaspersky Lab, confirmed in a tweet Aug. 22 that the date and time hardcoded into Shamoon matched the date and time of an attack on Saudi Aramco, Saudi Arabia’s national oil company, mentioned in a Pastebin post by a group going by the name “Cutting Sword of Justice.”

“In the first step, an action was performed against Aramco company, as the largest financial source for Al-Saud regime,” the group wrote, stating that the attack would begin Aug. 15 at 11:08 a.m. local time in Saudi Arabia. “In this step, we penetrated a system of Aramco company by using the hacked systems in several countries and then sended [sic] a malicious virus to destroy thirty thousand computers networked in this company.”

As a result of the attack, Aramco said it isolated all of its electronic systems from outside access as a precautionary measure.

Kaspersky researcher Dmitry Tarakanov noted in a blog post that while that particular date and time is hardcoded in Shamoon, the function to check the date does not work correctly.

“If the intention is to divide the timeline into ‘before’ and ‘after’ a particular checkpoint, then the author has failed,” he blogged. “The condition contains a corrupted logic to do this.”

“For example, if the year is 2013 but the current month is less than the target month (say February), then the condition would return a result as if the current date lies before the August 2012 checkpoint value,” he explained. “In fact, this logic is simply flawed and incorrect. This error indirectly confirms our initial conclusion that the Shamoon malware is not the Wiper malware that attacked Iranian systems. Wiper is presumed to be a cyber-weapon and, if so, it should have been developed by a team of professionals. But experienced programmers would hardly be expected to mess up a date comparison routine.”

Earlier this month, Seculert CTO Aviv Raff explained that the attackers behind Shamoon seized control of an internal machine connected to the Internet and used it as a proxy to the external command and control server. Through the proxy, the attacker infected other internal machines and then executed Shamoon, “wiping all evidence of other malicious software or stolen data from those machines.”

In a statement today, he added that the IP address of the proxy server in the Shamoon samples Seculert analyzed is not part of the list described in a related Pastebin post.

“This might mean that those samples are part of an attack on a different entity,” Raff said. “It could also mean that it is indeed part of the attack against Aramco, but the attackers did not to share this IP address in the pastes (assuming the details in the pastes are true, of course).”