Companies warned to check their systems for signs of Shamoon malware.

You come back to the office Monday morning to find a disaster—all your computer files are gone, many replaced with a picture of the body of a Syrian toddler who died at sea last year. 

That is what people found at the General Authority of Civil Aviation in Saudi Arabia this month, reported Bloomberg, after the Shamoon malware destroyed thousands of computers.

The agency handles the country’s airports. Bloomberg said five other Saudi organizations fell victim as well.

This is the second time Shamoon has hit the country. 

In 2012, the malware ripped up 30,000 computer systems in Saudi Arabia, according to Palo Alto Networks.

Now cybersecurity companies are warning businesses and government organizations everywhere to look for signs of Shamoon before it causes more destruction. 

“We recommend that critical infrastructure organizations and government agencies (especially those in the Gulf Cooperation Council region) check immediately for the presence or execution of these files within their Windows Server and Workstation environments,” said cybersecurity company FireEye in a post on its site.

A Saudi Arabian Airlines plane takes off from Charles de Gaulle Airport in France. Photo credit: airlines470 via Foter.com / CC BY-SA

World’s most valuable company

Four years back, Shamoon ravaged computers at Saudi Aramco and RasGas Company Limited, a natural gas company in Qatar, reported Reuters.

As the more than 50,000 employees of Aramco—said to be the world’s most valuable company–celebrated a religious holiday away from work, attackers destroyed more than three quarters of the company’s corporate computers, according to The New York Times.

This time around, attackers slashed through thousands of aviation authority computers, though the Saudi air transport agency managed to keep the airports running, Bloomberg reported.

Damage & destruction

The name ‘Shamoon’ reportedly comes from a word in the malware’s code. Researchers at Palo Alto Networks call the malware “Disttrack.” 

“Disttrack is mainly focused on data destruction and attempting to damage as many systems as possible,” Palo Alto’s Robert Falcone said in a post. 

Attackers have made some changes. For example, four years ago, the image that appeared on infected computers was a picture of a burning U.S. flag. 

“This is essentially the same attack,” said Ryan Olson, intelligence director of Unit 42 at Palo Alto Networks. “So from a technical point of view, yes, it could be as destructive.”

“It really depends on the actions of the attackers and how much stronger the intended targets’ protections are versus four years ago,” Olson told Archer News.

Aramco is said to be the world’s most valuable company, with subsidiaries all over the world, including Aramco Overseas with buildings in Milan. Photo credit: dhublimited via Foter.com / CC BY

Targets

So far, Shamoon hackers appear to have targeted only Saudi organizations—no sign of attacks on energy or infrastructure companies in the U.S.

But that doesn’t mean it won’t happen here.

“We can’t know the specific motivations and intentions of attackers,” Olson said. “We do know that there is nothing about this attack that makes it unique to where it happened.”

Data destruction raids like Shamoon do not happen often, according to Olson, but people should still prepare.

“While rare, these kinds of attacks are possible anywhere, and so everyone’s planning, preparations and protections should account for this—remote—possibility,” he explained.

Target: U.S.?

The new Shamoon siege is state-sponsored, Bloomberg reported, which means a government is behind it.

Iran is believed to have been the source of the original 2012 Shamoon attacks, said CrowdStrike CTO Dmitri Alperovitch in a post. It may have been retaliation for a similar ambush on Iran’s oil industry earlier that same year, reported The New York Times.

If it’s so effective, why don’t the Shamoon attackers strike energy companies and critical infrastructure in the U.S.?

The malware shows this image on computers before shutting down, according to Palo Alto Networks. Image from Palo Alto Networks’ post on Shamoon.

Hellfire

Middle East cyber attackers often go after each other, but not countries like China, Russia and the U.S., said Dewan Chowdhury with supervisory control and data acquisition—also known as SCADA—security company MalCrawler.

Chowdhury set up fake energy companies on the Internet as an experiment to see who would attack them and how. 

Malicious hackers raided the files of the fake U.S. energy companies only to steal information, he said.

“It’s pure economic espionage,” he told Archer News in an interview in August. “There’s no sabotage, no destruction.”

But the hackers went for destruction in attacks on the fake energy companies in the Middle East, hitting what looked like high-profile targets, such as substations in the “Times Square” or on the “Rodeo Drive” of Riyadh, Saudi Arabia.

Hackers may know that attacking U.S. infrastructure could be considered a declaration of war, he said.

“Anybody that would be crazy enough to target the power grid, the response is not you being hacked, it’s probably a Hellfire missile being thrown at you,” Chowdhury said.

Not immune

File-killing or “wiper” malware has hit other U.S. businesses before, though not energy or infrastructure companies.

Cyber predators used malware to wipe out a big chunk of the Las Vegas Sands Corp.’s computers in 2014, costing the company as much as $40 million dollars, Bloomberg reported. 

The company’s owner suspected the attack was in retaliation for comments he made about Iran, according to the article.

The White House laid down sanctions against North Korea after attackers used wiper malware in the massive Sony Pictures hack in 2014.

The Venetian Hotel in Las Vegas is part of the Las Vegas Sands Corporation’s network.

How to prepare

Energy companies—and other organizations—can prepare for attacks by segmenting their networks—for example, separating office computer systems from computer systems than run critical operations, according to Chris Sistrunk from Mandiant, a FireEye company. 

He also recommends monitoring computer traffic in and out of critical systems, as well as making regular backups and practicing restoring your systems.

“Also keep spares of critical equipment if you don’t have a redundant system,” Sistrunk told Archer News. “If destructive malware does hit, you can restore the affected systems.”

“Operating System not found.” Wiper-infected computers are not able to boot, according to Palo Alto Networks. Image from Palo Alto Networks’ post on Shamoon.

More protection

There may be other reasons Shamoon is not wreaking havoc in the U.S., said James McQuiggan, who works in information security for Siemens.

They include federal standards that require energy companies to meet certain cybersecurity goals, as well the Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, that provides warnings about malware and other cyber attacks.

“Back in 2012 when Shamoon showed up on the scene, ICS-CERT had multiple reports released about the malicious malware,” he said. “This allowed companies to program their security tools to alert and watch for the Shamoon malware.”

American companies are working to reduce their cyber risk, according to McQuiggan.

“They want to avoid being compromised and ending up on the front page of a national newspaper,” he said. “Previous incidents at companies like Target, LinkedIn and Yahoo, where their networks and systems were compromised, resulted in people at high levels losing their jobs.”