There is evidence that Iranian hackers are behind last week’s Shamoon cyber-attacks on oil and gas companies in the Gulf and Europe, industry experts said.

Alister Shepherd, Middle East and Africa director for Mandiant at FireEye, told Gulf News that it is the same Shamoon malware which wreaked havoc a few years ago. In 2012, Shamoon crippled hard drives of tens of thousands of computers at Saudi Aramco and Qatar’s RasGas. An Iranian hacker group had claimed responsibility.

“Our initial technical analysis reveals that there are links between the current variants and the previous variants and it is linked to Iranian nexus groups,” Shepherd said.

The Italian oil and gas services company Saipem first reported that its servers in Italy, Middle East, India and Aberdeen have been hit by a cyber-attack on December 10.

Dick O’brien, threat researcher at Symantec, said that Shamoon, which re-emerged after a gap of two years, is back in a more destructive form.

“It is the same type of malware that we saw in 2016 but another organisation in Saudi Arabia which was attacked recently by another group known as Elfin (aka APT33 or Advanced Persistent Threat 33) means it is possible that the two incidents are linked and there is a possibility that it could be from Iran but we don’t have evidence to prove it,” he said.

“But it has hallmarks of state-sponsored attacks,” he said.

Unlike previous Shamoon attacks, he said that latest attacks involved a second piece of wiping malware that deletes and overwrite files on the infected computer after which Shamoon will erase the master boot record of the computer, thus making it unusable.

However, US security firm FireEye said that APT33, APT34 and APT35 are from Iran and their victims span every sector and extended well beyond regional conflicts in the Middle East.

Shepherd said that the primary focus on the oil and gas sector by the hackers is that it will have a big impact publicly and partially due to the sanctions.

With the US exiting the Joint Comprehensive Plan of Action (JCPOA), also known as ‘Iran nuclear deal’, he said that Iran would retaliate against the US and its allies, including the Middle East, using cyber threat activity.

“The sophistication and volume of attacks from Iran have been consistently increasing and will continue next year also due to geopolitical events. Iranian-nexus hackers will resume probing critical infrastructure networks in preparation for potential operations in the future,” he said.

Nicolai Solling, Chief Technology Officer at Help AG Middle East, said that the real impact of Shamoon will be felt only after a few days.

“Since we are so dependent on IT systems, warfare has moved on to platforms. We have seen it numerous times,” he said.

Source » gulfnews