Incident Of The Week: Shamoon Virus Cripples Hundreds Of Computers

Middle East Hit With Malware

Add bookmark

Esther Shein

A variant of the notorious Shamoon virus is the culprit behind a cyberattack on Italian oil services firm Saipem, which left between 300 and 400 of its computers crippled, Reuters reported. The discovery links this case to a massive attack in 2012 on Saudi Aramco, Reuters reported.

“The cyberattack hit servers based in the Middle East, India, Aberdeen and in a limited way Italy through a variant of Shamoon malware,” the Milan-based company said in a statement this week. Saipem is working to fully restore operations “in a gradual and controlled manner.”

The Shamoon virus has been used in some of the most damaging cyberattacks of all time, beginning in 2012 when it crippled tens of thousands of computers at Saudi Aramco and RasGas Co Ltd in the Middle East - attacks that cybersecurity researchers said were conducted on behalf of Iran.

Saipem’s head of digital and innovation Mauro Piasere told Bloomberg officials were keeping the servers offline so they could figure out what happened, and that there is no evidence data was stolen. The company had backed up the affected servers, he said. Servers in the United Arab Emirates and Saudi Arabia were the hardest hit, Piasere said, and the only attack in Europe was in Aberdeen, Scotland, where the company has fewer than 30 employees.

See Related: 2019 Global Report:Cryptocurrency's Role In Cyber Attacks

Saipem is considered a significant international oil and gas leader responsible for core infrastructure in Italy, and as a result, is an attractive target of financially-motivated and state-sponsored attackers, Stefano Zamero, a professor of computer security at Italian university Politecnico di Milano told Bloomberg.

Shamoon disables computers by overwriting a file known as the master boot record, making it impossible for devices to start up. It spreads to computers on a network through a dropper, according to TechTarget and has the ability to compile lists of files, send information back to the attacker and erase some or all of the compromised files.

The virus has been used for cyber espionage, especially in the energy sector. Former U.S. Defense Secretary Leon Panetta has said the 2012 hack of Saudi Aramco, Sapien’s largest customer, was probably the most destructive cyberattack on a private business, Reuters said.

Shamoon went dormant before resurfacing in late 2016 in a series of attacks in the Middle East that continued through early 2017.

Several security researchers believe people working on behalf of the Iranian government were responsible for previous Shamoon attacks, although Tehran has vehemently denied the accusation, Reuters reported.