Destructive Shamoon Malware Attacks Italian Oil Services Firm

The data-wiping Shamoon malware resurfaced this week at Italian oil and gas contractor Saipem, where it destroyed files on about 10 percent of company PCs, according to a published report. The attacks may be linked to Saipem’s work with Saudi Aramco, a target of earlier Shamoon attacks.

Saipem acknowledged Monday that it had identified a “cyber attack on its servers,” for which it’s still in the process of analyzing and doing damage assessment. On Tuesday they confirmed in an update that a variant of Shamoon–malware linked to Iran that first appeared in attacks on Saudi Arabian oil firms in 2012–was responsible for the attack.

“The cyber attack hit servers based in the Middle East, India, Aberdeen and, in a limited way, Italy through a variant of Shamoon malware,” the company said. “The attack led to the cancellation of data and infrastructures, typical effects of malware.”

Italian oil industry services firm Saipem was the target of the Shamoon malware, the firm acknowledged.

Saipem is in the midst of restoration activities using back-up infrustructure to restore data and operations impacted by the attack, and continues to work with authorities on the matter, the company said.

Third time, no charm

The attack is the third time the havoc-wreaking malware–which wipes out the hard drive of computers it affects, displaying a message for victims–has appeared in targeted attacks on companies mainly in the Middle East.

The first Shamoon attack hit Saudi Arabian energy companies, including RasGas and Saudi Aramco; it compromised about 30,000 of the latter company’s workstations but Aramco said oil production was at the time unaffected. It resurfaced in 2016, also targeting oil firms in the Middle East. This week’s resurfacing of Shamoon also has connections to Aramco; Saipem is one of Aramco’s main foreign contractors.

See also: Report: Major attack on critical infrastructure expected due to increased risk from IoT

Shamoon reappeared in an even bigger and bolder way four years later–again disrupting the Saudi oil sector–with what researchers at the time said was a carefully planned attack not just on the energy sector, but also other companies and institutions in aviation, government, investment and education.

The malware was just as destructive as ever in the 2016 attacks, completely wiping out workstation hard drives with abandon. Its manifestation to victims was different than previously, however. In these attacks, it showed victims a picture of the body of Alan Kurdi–a three year-old Syrian refugee to who drowned trying to cross from Turkey to Greece with his family–suggesting a political motivation for the attack.

The Shamoon variant connected to those attacks also used a Trojan horse program, Ismdoor, to steal data from its victims, according to security firm Symantec, who investigated the attacks. Symantec researchers also said at the time that there is a chance the attacks are linked to a group it calls “Greenbug network spy gang,” which is connected to the Iranian government. Indeed, Iran is emerging alongside Russia and China as a leader in state-sponsored cyber attacks.

More attacks brewing?

This latest Shamoon incident happened over the weekend of December 8, with Saipem issuing its vague statement about the attack on Monday. That same day–likely not coincidentally–a version of the Shamoon malware researchers haven’t seen before was uploaded on VirusTotal from an IP address located in Italy, the home base of Saipem, according to published reports. Other samples were uploaded the next day from an IP address in India, one of the regions Saipem said was affected by the latest attack.

These uploads provide possible clues that more Shamoon attacks are on the way, a researcher from security firm Chronicle told ThreatPost. Specifically, they have a hard-coded trigger date that’s set for a year ago, on Dec. 7, 2017, even though the uploads themselves were new to researchers and hadn’t yet been seen in any attacks, the researcher said.

The trigger date led researchers to surmise a number of things. It could mean that the malware was sent into the wild on that date but only recently discovered, the researcher said.

It also–a more concerning scenario–means it could be locked and loaded in advance of yet another major malware campaign. If that’s the case–and if the pattern of Shamoon attacks continue–significant energy companies in the Middle East should brace themselves.