New Virus Targets Energy Sector, Causes Sudden Network Disruption

The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network.

The cybersecurity firm, Symatec, described Shamoon as “a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable.”

The virus is reminiscent of Wiper and Flame in that the sole purpose is to overwrite the information on the infected computer and wipe it out, as opposed to many viruses that lurk unnoticed and gather information.

It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable,” wrote security firm Symantec.

The attack was designed to penetrate a computer through the internet, before targeting other machines on the same network that were not directly connected to the internet.

Once infected, the machines’ data is wiped. A list of the wiped files then sent back to the initially infected computer, and in turn passed on to the attacker’s command-and-control centre.

During this process, the attack replaces the deleted files with JPEG images – obstructing any potential file recovery by the victim.

BBC News

Seculert, another cybersecurity firm, provided further analysis.

 Shamoon uses a two-stage attack. First it infects a computer connected to the internet and turns this into a proxy to communicate back with the malware’s command-and-control server. After that, it branches out to other computers on the corporate network, steals information, then executes its payload and wipes the machines. Finally, it communicates this to the external command-and-control server.

The International Business Times has reported that a group of hackers identifying themselves as the Arab Group Youth have claimed responsibility for the attack, saying the purpose was to warn the Saudi government and in particular the House of Saud, the ruling royal family of Saudi Arabia against “continuing to betray the nation”. Thus far, the group has been unable to verify their responsibility for the cyberattack.

The virus bears a striking resemblance to the Duqu trojan of 2011.  Regarding the source of that virus, Mac Slavo of SHTFplan wrote, “The Duqu trojan doesn’t seem to have originated from individual hackers or hacking groups, or foreign intelligence services. Rather, like Stuxnet, the virus was likely written under control and/or guidance of U.S. intelligence, possibly in collaboration with Israeli intelligence.”

 Thus far the damage is minimal – only 50 computers have been affected, but ARS Technica has recommended vigilance. “That’s a tiny number, but given its focus on energy companies and its resemblance to software that reportedly targeted Iran’s oil ministry, it’s worth keeping an eye on.”

In 2011, alternative journalist Mac Slavo predicted precisely this scenario, with the rise of malware such as the Duqu trojan .   This malware, he stated, was capable of directly attacking the infrastructure, potentially resulting in a “digital apocalypse.”

Once it acquires all of the necessary information, such as personnel access codes, security certificates and a mapped layout of a particular grid infrastructure, it wouldn’t take much to take things to the next level.

Imagine for a moment the effect of an attack on major refining operations, cascading electrical outages, urban water purification systems that added excessive chemicals to water supplies, or the massive flooding that might result if a dam were compromised.

It is not a large stretch of the imagination to recognize the vulnerability of our own energy sector to such attacks.