Cybersecurity researchers have uncovered a new threat targeting infrastructure in the energy sector that is believed to have hit at least one organisation.
The malware, dubbed Shamoon, corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable, according to security firm Symantec.
The attack is designed to penetrate a computer via the internet and then target other computers on the same network.
Data on the targeted computers is deleted and replaced with image files to prevent data recovery.
The threat, also known as W32.Disttrack, consists of three main components, the security firm said. These are the:
- Dropper – the main component and source of the original infection. It drops a number of other modules.
- Wiper – responsible for the destructive functionality of the threat.
- Reporter – responsible for reporting infection information back to the attacker, including a domain name, the number and names of files overwritten, and the IP address of the compromised computer.
Last week, Saudi Arabia's national oil company Saudi Aramco said a cyber attack had led to its network being taken offline, according to the BBC.
Although the energy firm did not link the issue to the Shamoon threat, it confirmed that it had suffered a "sudden disruption", but claimed that production had not been affected.
In a statement, Saudi Aramco said it had isolated its computer networks as a precautionary measure.
The disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network", the statement said.
On Pastebin, a site often used by hackers to anonymously lay claim to attacks, the Arab Youth Group claimed it had "targeted administrable structures and substructures of Aramco, and also the Stock Exchange of Saudi Arabia", according to the Guardian.
This action was supposedly carried out to "warn the Saudi rulers", but the group provided no way to verify the claim, the paper said.
According to Symantec, threats with such destructive payloads are unusual and are not typical of targeted attacks.
According to security firm Kaspersky Lab, this unusual wiper behaviour was also found in April in another still unknown malware attacking machines in Iran, that led Kaspersky to the discovery of Flame.
Shamoon is the latest in a line of attacks that have targeted infrastructure. It follows Stuxnet, which was designed to hit nuclear infrastructure in Iran, and Duqu, Flame and Gauss, that have sought to infiltrate networks to steal data.