McAfee says same group behind recent Shamoon attacks and 2012 incident
McAfee believes the same state-sponsored group carried out attacks in 2012 and 2016
Security company McAfee has stated that it believes that the Shamoon attacks against Saudi Aramco in 2012 and more recent attacks against Saudi targets were perpetrated by the same nation state actor.
McAfee did not name the country behind the attacks, but it pointed to evidence which it says suggested that the same group was behind both campaigns.
The August 2012 attacks against Saudi Aramco infected tens of thousands of Windows PCs with the Shamoon virus, wiping data and causing serious disruption. In December 2016 and January 2017, a new variant of Shamoon was used to attack numerous targets in Saudi Arabia.
In a series of blog postings by McAfee security researchers by Christiaan Beek and Raj Samani explained that they believe the two campaigns were conducted by the same group, and that certain differences between the two sets of attacks show an increased sophistication on the part of the hacking team and the tools it selected.
The researchers point to a common modus operandi between the two campaigns, namely the use of three components to the malware, with attacks against Saudi targets with the intent of destroying data, and attacks timed for weekends or holidays. Both attacks attempted to use compromised accounts to spread the malware as far as possible throughout the networks.
There were some differences in MO, namely in 2012, the hackers used network scanners and penetration testing tools to find vulnerabilities that allowed them to infiltrate the networks, while in 2016 the malware was delivered via spearphishing attacks which established backdoors into networks. The 2012 attacks also targeted industrial control systems (ICS), which did not appear to be the case in 2016. The 2016 attacks also targeted multiple organisations.
Investigations also found similarities between the Shamoon attacks and other campaigns which used the same domains, whois registrants, or code.
Beek and Samani said that while they would rate the 2016 attacks more highly for stealth, operations security, precision, and other factors than the 2012 attacks, the overall picture is of one single team behind both attacks, maturing over time. While there were some errors in operational security in 2016, the researchers said this was likely to the fact that more people would be required to attack the multiple targets of the later incident.
"With five years between the attacks, we have likely seen a nation-state actor grow in cyber-offensive capacity and skills. Where once pirated software was used for vulnerability scanning, which can be easily detected by intrusion detection or prevention systems, we now find targeted spear phishing with weaponized documents. And instead of batch scripts, the use of PowerShell scripts and DNS tunneling demonstrates a major increase in the attackers' expertise," the researchers wrote in the McAfee blog.
McAfee, which has recently returned to being an independent company after being de-merged from Intel, said it was increasing its investment in combating the threat from sophisticated cyberwarfare and cybercrime groups such as the Shamoon perpetrators.
Areas of increased focus will include advanced malware, ransomware, financial fraud, general cybercrime, cyber espionage, cyberwarfare, and protection of industrial control systems. Among other contributions, McAfee will provide cyber security professionals the McAfee Threat Landscape Dashboard, an overview of the latest, most significant threats tracked by McAfee researchers.
McAfee will also increase its engagement with law enforcement and academia, including coordinated efforts to take down criminal networks, develop new approaches to fighting cybercrime, and recruit more young people to join the ranks of cybersecurity professionals.
"Campaign investigations complete our triad of research capabilities focused on keeping the digital world safe," said Steve Grobman, chief technology officer for McAfee. "McAfee is committed to bringing together world-class threat intelligence, vulnerability research, and investigative expertise to provide customers more insights into how specific malicious actors develop and wage cyber-attacks."