Nov 30 A version of Shamoon, the destructive
computer virus that four years ago crippled tens of thousands of
computers at Middle Eastern energy companies, was used two weeks
ago to attack computers in Saudi Arabia, according to U.S.
security firms.
CrowdStrike, Palo Alto Networks Inc and Symantec
Corp. warned of the new attacks on Wednesday. They did
not name any victims of the new version of Shamoon, which
cripples computers by wiping their master boot records that they
use to start up. They also did not say how much damage had been
caused or identify the hackers.
The reappearance of Shamoon is significant as there have
only been a handful of other high-profile attacks involving
disk-wiping malware, including ones in 2014 on Sheldon Adelson's
Las Vegas Sands Corp. and Sony Corp's Hollywood studio.
Governments and businesses pay close attention to such cases
because it can be time-consuming and extremely expensive to
restore infected systems.
The original Shamoon hackers left images of a burning U.S.
flag on machines at Saudi Aramco and RasGas Co Ltd in 2012.
Researchers said the Shamoon 2 hackers also left a calling card:
a disturbing image of the body of three year-old Syrian refugee
Alan Kurdi, who drowned in the Mediterranean last year.
The 2012 Shamoon attacks were likely conducted by hackers
working on behalf of the Iranian government, said CrowdStrike
Chief Technology Office Dmitri Alperovitch. It is too early to
say whether the same group was behind Shamoon 2, he said.
The motive of the recent attacks was also not immediately
clear.
"Why Shamoon has suddenly returned again after four years is
unknown," the Symantec Security Response team said on its blog.
"However, with its highly destructive payload, it is clear that
the attackers want their targets to sit up and take notice."
The malware triggered the disk-wiping to begin at 8:45pm
local time on Thursday, November 17, according to the security
firms.
The Saudi business week ends on Thursday, so it appears to
have been timed to begin after staff left for the weekend to
reduce the chance of discovery and allow maximum damage.
"The malware had potentially the entire weekend to spread,"
Palo Alto researcher Robert Falcone said in a blog post.
