New Shamoon Variant

A new variant of the Shamoon malware has destroyed significant amounts of data at a UAE "heavy engineering company" and the Italian oil and gas contractor Saipem.

Shamoon is the Iranian malware that was targeted against the Saudi Arabian oil company, Saudi Aramco, in 2012 and 2016. We have no idea if this new variant is also Iranian in origin, or if it is someone else entirely using the old Iranian code base.

Posted on December 17, 2018 at 6:30 AM • 9 Comments

Comments

Clive RobinsonDecember 17, 2018 3:18 PM

From the article,

But it’s unclear who is behind the latest attacks, according to cybersecurity experts from Symantec and Chronicle, an Alphabet-owned company.

Hmm two fairly major industry players finally showing a little caution in atribution...

Has storm Deirdre been passing through hell[1]?

In all seriousness it's nice to see the industry developing a healthy bit of skepticism at last. Now all we have to do is start ignoring "off the record" and "anonymous sources" who are frequently pushing a political line. Reliance on such gave rise to one edge of "Yellow Journalism".

Untill things can be firmed up the sensible thing to do would be a "follow the money" type analysis followed by a modified "SWOT" annalysis on the candidates thrown up, remembering that "political capital" can be treated like "financial capital".

I've done this before, with reasonable results, but I think it's time I let others have a go, as demonstration only goes so far on the learning curve.

Oh just remember last year the USA was for the first time in many years "a net oil exporter" it's going to skew things a bit.

[1] Because she's sure given Scottland the "Freezes Over" treatment...

Ismar December 18, 2018 12:14 AM

@Clive
Aren’t you afraid that we just may shoot our selves in the foot if we perform the follow-the-money analysis and publish the findings 😀?

IsmarDecember 18, 2018 12:26 AM

@All
“security researcher who analyzed the Shamoon files uploaded on VirusTotal told ZDNet that this is somewhat incorrect. This version of Shamoon overwrites original files with garbage data. This garbage data might look like encrypted content to an untrained eye, but it's just random bits of information that can't be recovered with an encryption key.”

How can you tell- anyone?

Denton ScratchDecember 18, 2018 3:24 AM

@Merley

Clive suffers from word-blindness. He can't spell his way out of a wet paper bag. We've all got used to it. You might call it a shibboleth - if there isn't a spello in there somewhere, it's probably an impostor.

POLARDecember 18, 2018 4:49 AM

"The attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines, the company’s head of digital and innovation, Mauro Piasere, told Reuters"

ErichDecember 18, 2018 8:03 AM

@Merley @Denton Scratch

Yeah, Merley, you can serve as a warning to others -- it's a good idea to go back through some of the archives before posting about someone. Clive is a treasure but can't spell for sh*t!

dithererDecember 25, 2018 5:36 PM

Re: Clive's typos

I love "encumbrants", a portmanteau of "encumbrance" and " incumbents".

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.