FireEye, the intelligence-led security company, recently discovered a wave of attacks targeting the GCC states.
In 2012, a suspected Iranian hacker group called the “Cutting Sword of Justice” used malware known as Shamoon – or Disttrack – to target energy companies in the Middle East. During that incident, tens of thousands of computers were compromised. In mid-November, Mandiant responded to the first Shamoon 2.0 incident against an organisation located in the Gulf States. Since then, Mandiant has responded to multiple incidents at other organisations in the region.
Shamoon 2.0 is a reworked and updated version of the malware we saw in the 2012 incident. Analysis shows the malware contains embedded credentials, which suggests the attackers may have previously conducted targeted intrusions to harvest the necessary credentials before launching a subsequent attack.
While it is widely believed that Iran-based threat actors launched the Shamoon attacks of 2012, it is still unclear who was behind the recent incident or the extent of compromise.
Recommended action
In light of these attacks, it is strongly recommended that critical infrastructure organisations and government agencies (especially those in the GCC region) continue to regularly review and test disaster recovery plans for critical systems within their environment.
Should a breach be suspected, it is also recommended that client-to-client communication be stopped, so as to slow down the spread of the malware.
The credentials of all privileged accounts should be changed and local administrator passwords per system should be unique.