This week, news broke that Italian oil services company Saipem had been hacked and that its UAE and Saudi servers had been targeted.
Now, a new report by Reuters has revealed that the cyber attack was committed with a variant of the infamous Shamoon virus, the same one used to hack Saudi Aramco in 2012.
A common accomplice?
Saipem’s head of digital and innovation Mauro Piasere told Reuters on Wednesday that the firm suspects that a Shamoon variant caused between 300 to 400 computers to stop working in an attack that was disclosed by the company on Monday and primarily affected its servers in the Middle East.
So why does this ring a bell? That’s because the Shamoon virus was used in some of the most damaging cyber attacks in history, starting in 2012 when it crippled tens of thousands of computers at Saudi Aramco and RasGas Co Ltd in the Middle East – attacks that cybersecurity researchers said were conducted on behalf of Iran, Reuters explained.
Former US Defense Secretary Leon Panetta has said the 2012 Shamoon hack on Saudi Aramco was probably the most destructive cyber attack to date on a private business, the news agency said.
It also just happens that Saudi Aramco is Saipem’s biggest customer, which is most likely no coincidence.
What were the repercussions of the attack?
On Monday, December 10, Milan-based oil services company Saipem suffered a cyber attack that crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines, Piasere told Reuters. The affected machines were located in Saudi Arabia, the UAE, Kuwait, India and Scotland, he noted.
However, no data will be lost because the company had backed up the affected computers, he said. The company said it first identified the attack on Monday.
Unsurprisingly, the attack sent the company’s share value falling, from $4.36 (€3.83) on Monday to $4.16 (€3.66) as of this writing, on Thursday.
According to Construction Week Online, Saipem has had a tough year after it slipped further into the red, following a net loss of $409m for the first nine months in 2018. This came despite a significant contract from Saudi Aramco for the South Gas Compression Plant Pipelines project.
What is the Shamoon virus?
US news site Axios reported that Chronicle, the cybersecurity division of Alphabet (Google’s parent company), had seen telltale signs of Shamoon usage ahead of the attack. Chronicle discovered a file containing Shamoon uploaded to its VirusTotal site, a database where anyone can upload a file to be scanned for malware.
Chronicle discovered that the new Shamoon was set to detonate on Dec. 7, 2017, at 11:51 pm, but was only uploaded on Monday, the day of the attack.
Brandon Levene, head of applied intelligence at Chronicle, said that “this variant is very strange,” commenting about the virus’ unusual structure and delivery.
Chronicle noted in a statement: “While Chronicle cannot directly link the new Shamoon variant to an active attack, the timing of the malware files comes close to news of an attack on an Italian energy corporation with assets in the Middle East.”
Axios explained that Shamoon famously wipes the hard drives of networked computers after sending the attacker a list of the filenames that will be deleted. But in this latest variant of Shamoon, the lack of access to command and control servers means that function no longer works.
Reuters explained that Shamoon disables computers by overwriting a file known as the master boot record, making it impossible for devices to start up.