Shamoon Malware and SCADA Security – What are the Impacts?

Ed. Note: This is a significant update to an article first published on Sept 25, 2012. The original article is available as a download in Related Links.

The most destructive post-Stuxnet discovery of advanced threats is a malicious malware known as Shamoon. Like Stuxnet, Duqu and Flame, it targeted energy companies in the Middle East, this time Saudi Aramco, Qatar’s RasGas and likely other oil and gas concerns in the region. It is a new species however, because it did not disrupt an industrial process as Stuxnet did, nor did it stealthily steal business information as Flame and Duqu did. Instead it removed and overwrote the information on the hard drives of 30,000 to 55,000 (yes those numbers are correct!) workstations of Saudi Aramco (and who knows how many more at other firms).

Nothing this damaging has been seen in a while. As a Kaspersky Lab expert commented “Nowadays, destructive malware is rare; the main focus of cybercriminals is financial profit. Cases like the one here do not appear very often.”

What does Shamoon mean for SCADA and ICS Security? Hold that thought for a few paragraphs….. 

Saudi Aramco’s headquarters complex. This is one of the sites where workstation hard drives were wiped clean by the Shamoon virus. Photo: Wikipedia

What is Shamoon?

First publicized on August 16, 2012 by Symantec, Kaspersky Labs, and Seculert, Shamoon was introduced into Saudi Aramco by a disgruntled insider that had full access to the system. It took control of an Internet connected computer and used that computer to communicate back to an external Command-and-Control server. It also infected other computers running Microsoft Windows that were not Internet connected. This type of malware is called a “botnet” which is a collection of compromised computers under the control of a single individual or group.

The name Shamoon comes from a folder name within the malware executable:

“c:\shamoon\ArabianGulf\wiper\release.pdb”

While the significance of the word “Shamoon” is not known, it is speculated that it is the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.

Symantec describes Shamoon as having 3 components:

  1. Dropper – the main component and source of the original infection. It drops components 2 and 3 onto the infected computer, copies itself to network shares, executes itself and creates a service to start itself whenever Windows starts.
  2. Wiper – this is the destructive module. It compiles a list of files from specific locations on the infected computers, erases them, and sends information about the files back to the attacker. The erased files are overwritten with corrupted jpeg files, “obstructing any potential file recovery by the victim”1.
  3. Reporter – this module sends infection information back to the attacker’s central computer.

While all of this sounds sophisticated, expert analysis (Kaspersky Labs) concluded, due to a number of errors found in the code, that the developers of Shamoon are “skilled amateurs”. They are not in the same league as the sophisticated coders of Stuxnet and Flame.

What Damage did Shamoon do?

On August 15, 2012 Saudi Aramco posted on its Facebook page that

…the company has isolated all its electronic systems from outside access as an early precautionary measure that was taken following a sudden disruption that affected some of the sectors of its electronic network. The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network."

They later told Reuters

"Shamoon [the virus] spread through the company's network and wiped computers' hard drives clean. Saudi Aramco says damage was limited to office computers and did not affect systems software that might hurt technical operations."

However, as CIO blogger Constantine von Hoffman stated:

You don’t destroy 30,000 workstations without causing a vast amount of damage. It might be possible that the attack didn’t directly hit oil production or harm the flow of oil out of the ground. No one I’ve spoken to has suggested it did, but it’s clear that if the company's statement is true then Aramco used a very strict reading of the phrase “oil production.

Mr. von Hoffman went on to question the Saudi Aramco statement that all damage had been repaired by Aug 26th. He also wonders, in the days of oil and gas projects being dominated by joint ventures, how other energy companies’ computers could not have been damaged by Shamoon.

Indeed, Leon Panetta, the U.S. Defense Secretary recently described Shamoon as the most destructive attack the business sector has seen to date and a “significant escalation of the cyberthreat.”

Jim Lewis, a computer expert at the Center for Strategic and International Studies (CSIS) in Washington added “There is a really significant dollar cost to this attack. The computers were out for as much as a week and had to be replaced.”
 

Saudi Aramco’s Uthmaniyah gas plant, like other of the companies production sites were apparently unaffected by the Shamoon malware. Photo courtesy of: Saudi Aramco.

Who Created Shamoon? Why did they do it?

It is now known that the attack was initiated by a disgruntled insider, an Aramco employee, “an extraordinary development in a country where open dissent is banned” who may have been working with the Iranian government.

Bloomberg attributes the attack to a single perpetrator who did not have the skills to do advanced coding or attack the company’s oil production sites. Their view rests on the fact that the forensic analysis of the code does not show advanced elements that typically suggest a nation state perpetrator. The motive in this case is believed to come from the disenfranchised Shiite minority in Saudi Arabia’s eastern province.

However, ISSSource describes how “Iran’s Cyber Army” has been building up its capability over time and attributes the attack to Iran working with an insider. It also puts forward two theories about why the Iranians might have instigated it.

One theory is that the attacks were motivated by “deep wrath” at the Saudi government because of:

  1. The mistreatment of the Shiites by Saudi Aramco.
  2. The Saudi government’s assistance to Sunni factions in Syria and Bahrain.

The other theory is that the attacks are retaliatory measures against the U.S. for:

  1. Stuxnet, the U.S-Israeli backed malware that disrupted Iran’s nuclear enrichment program and
  2. Payback for the severe U.S.-imposed sanctions that have sent the Iranian economy into a tailspin.

What does Shamoon have to do with SCADA and ICS Security?

Shamoon was a destroyer of data on workstations of energy companies in the Arabian Gulf. There is no evidence that it had any impact on SCADA or ICS systems.

What does it mean for automation professionals? The good news is that like Stuxnet, Flame and Duqu, Shamoon was highly targeted. But the bad news is that it is another indicator that industry, especially the energy industry is now a target.

Therefore, if you want to act now to prevent the extent of damage that Saudi Aramco experienced with this attack, see the list of mitigations put forward by US-CERT.

Also, you might want to update your risk assessments. Of great concern is the fact that this attack lowers the bar for effective disruption of a business. One or more people with skills slightly better than amateurs and a relatively low level of effort were able to penetrate a well-protected network and destroy massive amounts of data (albeit with insider access). In addition, they did it at a scale and speed that is unprecedented.

Imagine the damage that could be done if any group of people with an axe to grind against your organization activates a similar attack against you? The success of Shamoon is sure to attract copycats. This rouses the kind of fear we have when we think of terrorists getting their hands on nuclear weapons. No rules of engagement apply!

Call it “cyber warfare” or “cyber hype”, the bottom line is that the information/networked world is facing increased threats and SCADA and ICS systems are part of that world.

What are your thoughts on Shamoon? Does its discovery impact your security strategy?

Related Content to Download

Presentation - "Unicorns and Air Gaps - Do They Really Exist?"

 

Download this presentation and benefit from:

  • Knowing the current status of air gaps and industrial control systems
  • Understanding why air gaps are a challenge with today's infrastructure systems
  • Seeing an oil and gas refinery example for dealing with multiple pathways

 Related Links

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

Comments

11

Good summary of the Shamoon malware, though formally the link between Shamoon and the Aramco / Rasgas attacks has never been confirmed by either company.

I think Shamoon is the most worrying event in security, not so much because Shamoon is very advanced malware - it isn't, but the destructive nature of the malware.

We see several very good malware development tools in the market, combining these capabilities with an intention to cause as much damage as possible to the infected computer is a frightning world if we also realize that AV has several shortcomings. Too many malware slipped through the defenses in the last two years.

See also http://insecurity.honeywellprocess.com/

@zyber_zorro has provided an interesting link pertaining to the 30,000 number: http://pastebin.com/cTJeeTat

If real, then the 30,000 number is real.

What is the best approach to recover from this security incident? ip map is published, server names are published, all good stuff for planning a next attack.

Is the best approach to change all this or just continue?

Heather,

Continue the good work in relaying this information to the field. Customer's need to know since the press will not convey the message (with the exception of CBS 60 Minutes on hte Stuxnet virus).

After attending the ICS conference in Norfolk this week, it is more clear than ever, that the cyber crime perpetrators - whether rogue, state-sponsored or company insiders - must be dealt with using the full force of existing laws. These crimes are extremely dangerous to a vulnerable society and to the economic and financial underpinnings of the world. Additional legislation must be considered and enacted in each democratic country to deal with these criminals regardless of where they may be.
Secondly, the eventual ability of cyber defenses to pinpoint the sources and physical locations of perpetrators will assist in seizure of equipment and the capture of such evil-doers. We will need some version of counter-terrorist military teams to pursue these criminals. Wide news coverage of convicted cyber criminals will perhaps help lower these rogue or insider incidents.

Good Shamoon summary. I do hope that the parenthetical phrase 'albeit with insider access' wasn't intended to be dismissive of this important attack vector. Insiders have been an important tool for government attacks on their adversaries for thousands of years. It isn't much of a stretch to assume that any organization of a size that wuold be willing to accomplish someething as bold as the Aramco attack would be willing to use this type of tool to make their attack more effective.

The (albeit with insiders) was not meant to be dismissive, just factual.

Shamoon is one for the history books, like Stuxnet, but because of its overall destructiveness. As Nick Denbow mentions in his comment, think of the damage possible if the insider were paired with a team with strong programming skills.

The insider threat needs to be factored more significantly into risk assessments, just as Bryan says that the companies in the region are doing.

This suggested disgruntled employee, although classed as an enthusiastic amateur in cyber crime, has demonstrated what someone with some inside IT knowledge can achieve. So the next one like him will make contact with some less amateur cyber criminals to combine resources, compounding the threat by combining their various bits of expertise.
Thanks Heather, for your excellent review: as you say, with so many automation and control supplier companies in joint ventures with Saudi Aramco, not to speak of petrochemical companies, how far can Shamoon penetrate into their IT systems, and do they know? Looking just at the Sadara JV there are immediate links into Dow Chemicals and ABB - as mentioned in the INSIDER last month, the latter involves project engineering links to Jacobs Engineering, Fluor, Foster-Wheeler and Linde, plus other sub-suppliers like Yokogawa.

While Shamoon infections globally are few (<50 in some accounts), many I talked to in the region took pre-emptive action.

Firewalls were opened (or ports simply disconnected). This is when an operation finds out just how good their control system segmentation architecture is or isn't.

Sites with an ISA-99 style architecture faired much better compared to flat network deployment patterns.

Specifically, those organized with dual firewall DMZ were able to restore key services earlier because:
1) DMZ was not infected in the first place
2) Scope of services in the DMZ was manageable (as compared to the entire IT network) which makes it easier to verify overall health.

Even with successful prevention many in the region are restoring services in a very deliberate manner based on a refresh of risk assessment.

Incidents like Shamoon will erode trust within an organization. Ironically this comes at a time when IT and OT will need to work together more than ever.

Bryan, thanks for your insight into the event.

It's interesting that measures we and others recommend all the time, such as segmenting networks into zones as per ISA-99 (IEC 62443), made a difference at infected sites.

Good point about dual firewalled DMZs too - readers take note.

A comprehensive and insightful analysis of the Shamoon episode. It is indeed clear that Episodes like Shamoon only reiterate what is widely acknowledged within industry circles. Although the consequences of Shamoon were destructive, it seems to me that the perpetrators had conceived the entire attack with surgical precision. A Shamoon-like attack on a control system would have had disastrous consequences and more than that, it has the potential to become a precursor to war between hostile nations. It is now becoming increasingly certain that industrial cyber security will become common underlying denominator of the next-gen enterprise.

Add new comment