Skip to content ↓ | Skip to navigation ↓

Shamoon v2 is a tenacious piece of malware that recently participated in attacks against 15 Saudi government agencies and private companies. Shamoon compromises hard drives and leaves them completely erased and inoperable.

It first appeared in 2012 when it targeted one Saudi company, an assault which today is widely recognized as one of the most destructive cyber attacks against a private business. An enhanced version reappeared last November. This year, it became more widespread.

As noted in a previous blog, the enhanced malware has become cleverer by developing the ability to compromise VDI environments:

“VDI solutions take snapshots of a system at a given time in a certain state. Organizations can therefore use these technologies to recover from wiper malware like Disttrack. But if Disttrack comes with default credentials for well-known VDI products, it can log into those solutions, wipe any saved snapshots, and thereby prevent an organization from restoring their systems.”

What Is the Impact and Motive?

Based on the reports, it seems that data was not stolen but networks were disrupted. The motive seems to have been bringing down operations, thereby creating huge business implications and safety issues. At this point, the target is the Saudi region.

This might suggest a nation-state is behind the attacks as Shamoon overwrites the hard drives with images of burning US flags and most recently, the image of the body of a drowned Syrian refugee, suggesting the responsible parties are also attempting to make a political statement.

Are Nation-State Cyber Attacks on the Rise?

A nation-state cyber attack is any action by a nation or non-nation actor (i.e. terrorist) that accesses another nation’s computers or networks for the purposes of causing damage or disruption. In some cases, it is very difficult to track the source since attackers can hide their tracks.

Yes, they are on the rise – though I do not have a definite metric on this, there is not a month that goes by when a nation-state attack isn’t publicized.

Recent attacks include the following:

Attribution to these attacks can be difficult given clever masquerading tactics. This makes an effort to retaliate challenging. What is interesting, however, is that the entry point for many of these big and complicated attacks is social engineering usually in the form of a phishing attack.

In 2015, the Ponemon Institute presented research (PDF) for which it surveyed IT security practitioners based in the United States. Seventy-three percent of respondents said it was highly likely that their organizations would suffer a nation-state attack in the next five years. Some organizations suffer these assaults on an even more frequent basis.

U.S. Missile Defense Agency Director Vice Adm. James Syring explained in a U.S. House hearing held on May 14, 2016, that Chinese military cyber attacks on his agency’s networks were a daily occurrence. No doubt cyber attacks on nation-states will continue to rise.

Sometimes, it is difficult to determine if the attack is from a nation-state attack or from an independent group. Some nations use state hackers and pay freelancers to gain access to useful systems.

Rise and Defend Against Shamoon v2

Whether it’s nation-state cyber attack or not, Shamoon v2 can be damaging. All organizations everywhere should take measures to protect against Shamoon v2. There are foundational controls that detect and prevent to help mitigate the risk of Shamoon v2.

Given the attack vector was email phishing, regular training and reminders to employees should be given. As noted in previous blog, you should also protect the credentials of your VDI deployment and deploy a tool like MBRFilter to prevent malicious actors from modifying a machine’s MBR. Organizations should also review their disaster recovery plans as an offensive maneuver.

For information on how Tripwire Enterprise can protect you against Shamoon v2, please click here.