Shamoon is one of the most destructive forms of malware. Here’s how deception technology can help prevent an attack.
Shamoon, also known as DisTrack, was first identified in 2012 and used against Saudi Arabian industry to annihilate thousands of computer systems. The same year it emerged, Shamoon’s assault against Saudi Arabian ARAMCO was noted by then U.S. Defense Secretary Leon Panetta as the most destructive attack seen by the global business sector to that date.
In short, weaponized malware is real and it is here to stay. Increasingly, nation states and politically motivated groups are using tools like Shamoon to target and destroy information technology infrastructure.
Shamoon: a brief evolution
Designed as weaponized malware, Shamoon is no less purpose-built than Stuxnet, used to target Iranian centrifuges used in uranium production. The malware is a physical attack on infrastructure, that leaves in its wake a trail of destruction comparable to a fire in a data center or other direct physical attack.
The threat from Shamoon remained relatively quiet for several years until the end of 2016, when Saudi Arabia’s state news agency noted that a Shamoon cyberattack had once again targeted multiple government agencies. It was clear that these this new version of the attack was aimed at destroying equipment and was highly destructive. The security firm CrowdStrike also noted that Shamoon attacks seemed to coincide with geopolitical events in Gulf countries as well as with events in Saudi Arabia.
A month later, the telecom authority of Saudi Arabia issued a major alert noting that Shamoon 2, the new variant, was behind attacks targeting various chemicals firms and the labor ministry. One of those chemical firms, Sadara Chemical Company, a joint venture between Dow Chemical and Saudi Aramco, confirmed a network disruption. Meanwhile during that same time, Reuters also noted that other companies in Saudi Arabia’s Kingdom’s petrochemical hub in Jubai were taken off line.
Shamoon under the hood
Attribution for these sophisticated cyber-attacks is extremely difficult. The imagery used in the Shamoon attack is highly suggestive of a strong political agenda and the forensic evidence has at times been attributed to a source nation state in the Middle East. That said ,there are a lot of ways that attackers can obfuscate the signature and code structure in order to vary the attack location from where it is physically launched. Sophisticated attackers, and especially nation- state attackers, can get on a plane, find an internet cafe, and disperse malware from just about anywhere, while they do reconnaissance from another location. In addition, they also relay their internet connections through virtual private networks for obfuscation, as well as TOR and other techniques as additional layers of camouflage to hide the attack source location.
One thing that is known, however, is that Shamoon is designed to infiltrate and completely destroy as many systems as it can in a targeted organization. Here’s how it works: To destroy the largest number of systems in the network, Shamoon brings stolen administrative credentials that are part of its internal code. These credentials, which are likely stolen during an earlier reconnaissance attack, are then “hardcoded” and loaded into the attack. The specific authentication for a particular company’s network is placed in Shamoon ahead of the attack giving it unfettered access to all resources within the network and rendering it virtually unstoppable.
Three keys to a Shamoon attack
Shamoon has three main components that are used during an attack. The first component is a binary of the malware, which checks the architecture of the compromised system and deploys the correct version for the attack.
The second component is responsible for communicating with a command and control (C&C) server.
The third component is known as the wiper, which executes the destructive sequences that disable systems and destroys data. Among other things, the wiper writes to protected system locations such as the master boot record (MBR), and overwrites the files and instead. The latest version Shamoon 2 leaves a file with a famous picture of a drowned child refugee from Syria, apparently symbolizing the country’s refugee crisis.
In addition to basic attack capabilities, Shamoon uses advanced data obfuscation and encryption techniques to help it evade detection and compromise. It is also equipped to use anti-debugging techniques, calling upon Windows API functions to help determine whether it is being analyzed by a debugger or a sandbox. This capability enables the malware to move laterally through the network undetected.
Using deception technology to prevent a Shamoon attack
The good news is that new defensive technologies are taking the initiative back from the attackers. One such technology designed to identify and block Shamoon is deception. As its name suggests, deception enables the security operations center team to create and deploy fake IT assets through the network. These decoy assets, or traps, lure the cyber attackers during the reconnaissance phase when they are trying to identify and steal administrator credentials. The same traps also lure and capture Shamoon as it moves purposely through the network as part of an ongoing attack.
These deception traps appear as real IT assets, such as database servers, file shares, switches, workstations, and industrial control system components, among other things. One touch of a trap identifies attackers decisively and alerts the security operations center team. From there, integrated network access control (NAC) cyber defense isolates and shuts down the attack. Incident of compromised data from the alert becomes part of the organization’s broader consolidated threat management systems and security analytics. This is a two-way street allowing the deception platform to benefit from threat intelligence feeds.
In summary, these new technologies can help organizations meet and stop Shamoon 2, baiting the attackers and keeping them engaged while the threat is contained, so that normal operations can be rapidly resumed.