Earlier this year, a devastating virus dubbed Flame made its way through power plants in Iran, wreaking havoc on system software, and prompting the country to disconnect itself from the internet. Now comes word from Kaspersky Labs that there’s a copycat virus doing the same thing to “at least one organisation in the energy sector.”
Except this time, it’s not coming from the US government.
This new virus, sometimes referred to as Shamoon, sometimes referred to as Disttrack, contains a file named Wiper, which the Flame virus also has. But the Wiper file in Shamoon doesn’t share the same code as the one in Flame, which is why experts suspect a copycat is at work. Specifically, Kaspersky believes it’s the doing of script kiddies. Shamoon, like Flame, reportedly collects data on any machine it infects, then proceeds to erase the disk. But taking things one step further, the virus then overwrites the disk with a fragment of a JPEG file, making it nearly impossible to recover the lost data.
Security firm Securalert believes that its recent implementation was a two-stage attack executed from inside.
The attacker took control of an internal machine connected directly to the internet, and used that machine as a proxy to the external Command-and-Control (C2) server. Through the proxy, the attacker infected the other internal machines, which were probably not connected directly to the internet.
Once the intended action on the internal infected machines was complete, the attacker executed the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines. It then reported back to the external C2 through the proxy.
No one has come out and said specifically what power plant Shamoon worked its destructive powers on, but Ars Technica points out that the Saudi Aramco plant was a victim to attack last week in Saudi Arabia. What experts do know is that Shamoon is definitely part of a targeted attack. What they don’t know is who. Or why.
You’re probably familiar with Flame by now; for the better part of a year, it’s been causing headaches for Iranian energy stations. Some computers send crucial security data back to the virus’ creators (believed to be operatives for the American and Israeli governments). Others blast AC/DC in the middle of the night. Then once the objective is complete, a Flame-infected computer destroys itself, leaving no trace of its existence on a disk.
Based on the same operating principles Stuxnet virus (but created by an entirely different entity, it’s all but certain that Flame was a politically-motivated attack, given the tensions betwen Iran, the US and Israel.
What’s strange about Shamoon, however, is that it doesn’t appear to be collecting any sensitive info like Flame, which sniffed out passwords, documents and anything else vital to the operation of the Iranian facilities. Instead, Symantech says Shamoon is only concerned with reporting the names of the files it deleted, how many files it deleted, and the IP address of the computers infected. Destruction seems to be the primary objective.
The Reporter component is responsible for sending infection information back to the attacker. Information is sent as a HTTP GET request and is structured as follows:
The following data is sent to the attacker:
[DOMAIN]-a domain name
[MYDATA]-a number that specifies how many files were overwritten
[UID]-the IP address of the compromised computer
[STATE]-a random number
Threats with such destructive payloads are unusual and are not typical of targeted attacks.
Maybe the attacker already knows what is on the machines (which would make sense if the attack originated from within), but it still doesn’t explain the motivation for such a risky stunt on the part of a script kiddie.
If this is a non-political attack from an unaffiliated mischief maker, is this only the beginning for this kind of thing? A rash of unprovoked attacks on energy facilities could be downright devastating if properly executed. The immediate fallout might seem minor, and even inconsequential. But as we saw with Anonymous and LulzSec’s hacking spree last spring, an event like this can snowball into something quite harrowing. [Kaspersky, Symantech, Seculert via Ars Technica]