pixel_dreams - Fotolia
StoneDrill also features advanced anti-detection techniques and espionage tools in its arsenal.
In addition to a target in the Middle East, a StoneDrill target has also been discovered in Europe, where wipers used in the Middle East have not previously been spotted in the wild.
In 2012, Shamoon was identified as the latest in a line of attacks that targeted infrastructure that included Stuxnet, which was designed to hit nuclear infrastructure in Iran, and Duqu, Flame and Gauss, which sought to infiltrate networks to steal data.
“From Stuxnet to Shamoon 2 there is a distinct evolution to more advanced malware being targeted at industrial controls systems, according to Azeem Aleem, director of advanced cyber defence practice for Europe, Middle East and Africa (Emea) at RSA.
In 2012, Shamoon took down around 35,000 computers at oil and gas company Saudi Aramco, putting 10% of the world’s oil supply at potential risk.
However, the malware was not seen again until late 2016, when a heavily updated version of the malware was identified and dubbed Shamoon 2.0.
Read more about industrial control systems security
- Attackers with increasing capabilities have strong financial motivation to go after critical infrastructure and manufacturing firms, says security industry expert.
- Industrial control systems should be securely managed by the enterprise, specifically when suppliers need access to them.
- Targeted attacks on industrial control systems are the biggest threat to critical national infrastructure, says Kaspersky Lab.
- Hackers have been penetrating industrial control systems for at least a decade for extortion, yet little is known about how they gain access.
While exploring these attacks, Kaspersky Lab researchers discovered StoneDrill, which, although similar in style to Shamoon 2.0, has unique characteristics and is more sophisticated.
Although researchers believe StoneDrill was created separately from Shamoon, it shares enough characteristics to have been picked up by tools developed to detect Shamoon.
The researchers said that while it is still not known how StoneDrill is propagated, once installed, it injects itself into the memory process of the user’s preferred browser.
During this process, they said, it uses two sophisticated “anti-emulation” evasion techniques and then starts destroying (wiping) the computer’s disc files.
The researchers also found a StoneDrill backdoor, which appears to have been developed by the same code writers and used for espionage purposes. They discovered four command and control panels which were used by attackers to run espionage operations with the help of the StoneDrill backdoor against an unknown number of targets.
To protect organisations from such attacks, Kaspersky Lab advises:
- Conduct a security assessment of the control network to identify and remove any security loopholes.
- Review supplier security policies to ensure none have direct access to the control network.
- Request external intelligence that helps organisations predict attacks on industrial infrastructure.
- Train employees, paying special attention to operational and engineering staff.
- Provide protection inside and outside the perimeter, including detection and response.
- Evaluate advanced methods of protection such as specialised network monitoring.
Although similar in style to Shamoon, StoneDrill also appears to have connections to several other wipers and espionage operations observed previously, said researchers.
They observed code similarities to the NewsBeef APT, also known as Charming Kitten – another malicious campaign which has been active in the last few years.
“We were intrigued by the similarities and comparisons between these three malicious operations,” said Mohamad Amin Hasbini, senior security researcher of the global research and analysis team at Kaspersky Lab.
The most likely scenario, he said, is that StoneDrill and Shamoon were developed by two different and unconnected groups with similar objectives.