Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Destructive Shamoon Malware Targets Energy Sector

Soulskill posted more than 2 years ago | from the tilting-at-windmills dept.

Security 34

An anonymous reader writes "A new spear-phishing attack targeting a number of specific companies in a few industries, including the energy sector, has been spotted by several security companies. Dubbed 'Shamoon' due to a string of a folder name within the malware executable, the attack ends up with delivering destructive malware on the targeted computers that ends up making them unusable. The interesting part of this malware is that instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the master boot record of the computer."

Sorry! There are no comments related to the filter you selected.

And so it begins... (3, Interesting)

noh8rz7 (2706405) | more than 2 years ago | (#41027041)

We're moving from cyber espnage to cyber sabotage. The summary doesn't say what countries Re targeted, but it will be interesting to see if this is government sponsored against the middle east, government (china) sponsored against US, or private malicious. A brave new world!

Re:And so it begins... (0)

Anonymous Coward | more than 2 years ago | (#41027153)

This isnt new, cyber sabotage goes back to the 70s. Probably earlier.

The attribution issue (5, Informative)

daveschroeder (516195) | more than 2 years ago | (#41027167)

And that's a huge problem with cyber: attribution. Even if an attack appears to be coming from a particular source, that doesn't mean it originated from and/or was ordered by that source. In fact, intentional misattribution or denial of attribution is yet another element of cyber operations. From a US perspective, we still don't have a comprehensive set of rules of engagement for cyber, or even really have consistent, well-understood definitions for what constitutes "cyber war" (though there's certainly a lot of hype...)

Some relevant recent articles:

---

Cyber Command struggles to define its place on a shifting battlefield - Nextgov

The U.S. Cyber Command, which directs network offensive operations for the Pentagon and protects its networks, is becoming more open about the military’s capabilities in cyberspace. Recently, the Defense Department was forced to show part of its hand when leaks surfaced about U.S.-manufactured cyber weapons and cyber espionage missions. Still, since 2011, the department has told the world it stands prepared to protect U.S. national security interests through cyberspace maneuvers.

http://www.nextgov.com/cybersecurity/2012/08/hacker-wars/57438/ [nextgov.com]

---

Confusion Reigns In Cyber Planning - AVIATION WEEK

Pentagon warfighters have for years been asking for a cybercombat policy, rules of engagement, funding and a less-fragmented chain of authority. But those needs remain unfulfilled as bureaucrats, lawmakers and top Defense Department civilian officials thrash about in a pit of indecision while an international complex of digital threats continues to emerge.

http://www.aviationweek.com/Article.aspx?id=%2Farticle-xml%2FDT_05_01_2012_p38-444018.xml&guid=74908 [aviationweek.com]

---

'Turf War' Slows New U.S. Cyber Rules - Defense News

Despite the ongoing concern about the escalating pace of cyber attacks, a new set of standing rules of engagement for cyber operations — policy guidelines that would specify how the Pentagon would respond to different types of cyber attacks — is being delayed by a debate over the role of the U.S. military in defending non-military networks, sources said.

http://www.defensenews.com/article/20120507/C4ISR01/305070015/-8216-Turf-War-8217-Slows-New-U-S-Cyber-Rules [defensenews.com]

---

Pentagon revamps rules of engagement for cyberwar - The Hill

The Pentagon is rewriting the book on how it defends against and possibly responds to cyberattacks against the United States, the top uniformed officer in charge of the effort told Congress on Tuesday.

http://thehill.com/blogs/defcon-hill/policy-and-strategy/218435-pentagon-revamps-rules-of-engagement-for-cyberwar [thehill.com]

Re:The attribution issue (1)

jeffmeden (135043) | more than 2 years ago | (#41028691)

And that's a huge problem with cyber: attribution. Even if an attack appears to be coming from a particular source, that doesn't mean it originated from and/or was ordered by that source. In fact, intentional misattribution or denial of attribution is yet another element of cyber operations. From a US perspective, we still don't have a comprehensive set of rules of engagement for cyber, or even really have consistent, well-understood definitions for what constitutes "cyber war" (though there's certainly a lot of hype...)

Attribution is a problem, but it certainly isn't a new one. The King got poisoned? Well hell, it could have been spies from any one of our enemies! Or even an ally that wanted us to hate our enemies more! Or even a friend that wanted us to turn on an ally! To the horses! Avenge the King!

But seriously, covert and clandestine operations have been around basically since the beginning of state conflict. "Cyber war" is scary, and some threats are justified, but acting like this is a brave new world really does overstate it a bit. It's the same big scary world out there, we just have a new face on the conflict.

Re:And so it begins... (0)

Anonymous Coward | more than 2 years ago | (#41028107)

What is being targeted, are not country military assets, because in general, they know how to keep themselves locked down.

However, trashing economic interests such as the US solar industry are key for China's dominance.

China has been extremely effective so far:

1: Hack US energy companies.
2: Obtain technology.
3: Use the availability of rare earths and the fact that every Chinese company is technically "government owned", produce solar panels for cheaper than it costs to make.
4: ?????
5: Profit on the US stuck in the pissing contest in camel country while they are deploying solar and becoming energy independant.

Re:And so it begins... (1)

jeffmeden (135043) | more than 2 years ago | (#41028759)

You have gravely over-complicated the process...

1. Wait for US energy companies to use a cost-effective manufacturing solution (in China). Hijack trade secrets and hire away skilled workers.
2. Produce a few years worth of product.
3. "Dump" product for less than it cost to make, bankrupting the US based competition.
4. Profit from stockpile of product that can now be sold with little competition.

No ???, because this is exactly what is happening.

Why invite all this attention... (2)

sinij (911942) | more than 2 years ago | (#41027077)

At the risk of giving them more ideas, wouldn't it be simpler to uninstall and erase all traces? Maybe also defrag hard disk on the way out. Corrupted PCs are all but guaranteed to attract attention of IT, who have much greater chance to detect intrusion than your average user.

Re:Why invite all this attention... (1)

gmuslera (3436) | more than 2 years ago | (#41027541)

Maybe by the time you attracted their attention they already did their (visible, like a device malfunction) job, and want to not leave traces of what they exactly did exactly to trigger that problem.

Re:Why invite all this attention... (2)

Baloroth (2370816) | more than 2 years ago | (#41027829)

The point is probably to cause mayhem by corrupting the systems. It may be targeted, but it doesn't look nearly as targeted as Flame was. It sounds like they just want to cause wanton destruction and chaos by disrupting the target's computer systems, which in some cases is as effective as any subtle attack.

Re:Why invite all this attention... (0)

Anonymous Coward | more than 2 years ago | (#41028829)

At the risk of giving them more ideas, wouldn't it be simpler to uninstall and erase all traces? Maybe also defrag hard disk on the way out. Corrupted PCs are all but guaranteed to attract attention of IT, who have much greater chance to detect intrusion than your average user.

It's the Kansas City Shuffle... While IT is busy figuring out why all the machines got wiped, the virus managed to corrupt the doorlock keycard database to allow unauthorized access to the actual site. Now, spies are sauntering in as maintenance workers and placing the *real* payload in the control systems that make sure the cooling system redundancy is balanced. Or whatever. Not that I would know.

A security guy in the energy industry? (2)

rtfa-troll (1340807) | more than 2 years ago | (#41027117)

My guess; A security guy in the energy industry got bored of his manager refusing to pay for anything other than audits saying "your security is great". This is his way of getting some action. A hero perhaps? If so I hope he knows how not to get caught...

Alternatively, an unsubtle message from the Iranians to the effect of "you have more to lose than we do"?

That is *old school* right there. (0)

Anonymous Coward | more than 2 years ago | (#41027247)

Get in and format c:\, delete the MBR. lol

Is that line Sha'mon? (0)

Anonymous Coward | more than 2 years ago | (#41027325)

Michael Jackson is rolling in his grave.

'dah! hee hee hee

Re:Is that line Sha'mon? (1)

Critical Facilities (850111) | more than 2 years ago | (#41027457)

Man, that's bad. Bad. Really, really bad.

Re:Is that line Sha'mon? (1)

Richy_T (111409) | more than 2 years ago | (#41027991)

I agree. Beat it!

Re:Is that line Sha'mon? (1)

Em Adespoton (792954) | more than 2 years ago | (#41030291)

Man, that's bad. Bad. Really, really bad.

You know it!

ah, a good old fashioned virus (4, Informative)

logicassasin (318009) | more than 2 years ago | (#41027333)

reminds me of the late 80's and 90's where malware typically deleted your files and otherwise screwed up your computer.

We have come full circle.

Re:ah, a good old fashioned virus (0)

Anonymous Coward | more than 2 years ago | (#41027453)

what's old is new again!

Re:ah, a good old fashioned virus (1)

couchslug (175151) | more than 2 years ago | (#41028645)

Too bad it is less common now. That would FORCE people to take better security measures they will refuse to do otherwise.

Re:ah, a good old fashioned virus (0)

Anonymous Coward | more than 2 years ago | (#41029501)

Too bad for most people, then. Bad guys make more money on having zombies or keyloggers on machines than they do by nuking them from orbit.

The destructive viruses of yesteryear (2, Informative)

Anonymous Coward | more than 2 years ago | (#41027355)

"instead of staying under the radar and collecting information, the malware was designed to overwrite and wipe the files and the master boot record of the computer."

In other words, a return to the classic viruses of the late 80's and 90's. It's been years since I've seen any virus that does anything more than remotely spy/lurk or disrupt internet connectivity.

Re:The destructive viruses of yesteryear (2)

rtb61 (674572) | more than 2 years ago | (#41027817)

The reality is they are not all that destructive unless you can sneak them onto a computer manufacturer. Those viruses became futile because of course they inherently destroy themselves and spread is very limited. Usually they are left behind after a system has been cracked to cover up the trail. Of course they could also be used to hide other things being done ie computer crashes, get repaired, the blatant virus cleaned off and everyone thinks they are safe but they have actually missed a critical back door that has been introduced into the system.

don't copy that floppy! (2)

tekrat (242117) | more than 2 years ago | (#41027733)

It may have a virus on it.

I remember trying to get users at a local Amiga user group to dial in to my BBS, and many of them said at the time "No, I don't connect to a BBS 'cause I might get a virus".

I bet those same people were the first ones on the internet however, and are still running their Windows 2000 PC connected directly to the cable modem...

Ah, the good old days, when Virii were destructive. But now, with 500GB HD's being the norm, they get to be even MORE destructive. I mean, loosing a floppy with at most 800k of data on it was one thing, but a 500GB HD? Yowza, I can't wait to hear the screams.

Re:don't copy that floppy! (0)

Anonymous Coward | more than 2 years ago | (#41028029)

The data on the small floppy was probably more important than the 500gb drive.

Re:don't copy that floppy! (0)

Anonymous Coward | more than 2 years ago | (#41028313)

I mean, loosing a floppy

How vulgar!

Re:don't copy that floppy! (1)

Bryansix (761547) | more than 2 years ago | (#41028553)

This is why RAID 1 is not the same as BACKUP.

"Energy Sector"? "Energy companies?" (1)

rrohbeck (944847) | more than 2 years ago | (#41027851)

Which ones?
It seems to be targeted against specific companies. There's a rumor that Saudi Aramco is one of them.
The set of target companies should give us a very good idea of the purpose. Economic? Political?

Re:"Energy Sector"? "Energy companies?" (1)

tomhath (637240) | more than 2 years ago | (#41028227)

According to the linked article (which apparently you didn't read): "The researchers have not said which company has been the target of Shamoon attacks, but it is widely speculated that it could be Saudi Aramco"

Re:"Energy Sector"? "Energy companies?" (1)

rrohbeck (944847) | more than 2 years ago | (#41028755)

I did read it and I'd like to know.

Attention Virus Writers (2)

EmagGeek (574360) | more than 2 years ago | (#41027959)

The 80's called. They want their viruses back.

forgot something (1)

awpoopy (1054584) | more than 2 years ago | (#41029215)

Dear OP,

the malware was designed to overwrite and wipe the files and the master boot record of the computer.

the malware was designed to overwrite and wipe the files and the master boot record of the WINDOWS computer.
There, fixed it for you.

Re:forgot something (1)

Em Adespoton (792954) | more than 2 years ago | (#41030393)

Indeed... they would have injected rm -rf /. or even dd if=/dev/zero of=/dev/sda bs=1M otherwise.

Obviously, they were targeting specific machines, and those machines happened to run Windows. Phishing for escalation and destroying drives in such a brazen way is going to work on whatever system they target. Of course, why the energy companies are running Windows instead of something more unixy is a puzzler in itself.

Re:forgot something (1)

couchslug (175151) | more than 2 years ago | (#41032891)

Of course you were downmodded for pointing that out.

Winlots strike again!

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?