3. What is the Shamoon Attack?
● Malware that attacked newly updated 32 bit Windows NT
kernels.
● At the time the malware was distinct from other viruses
due to its destructive nature
● The virus was simply designed to cause maximum
devastation to the target- Saudi Aramco
● The Shamoon Attack was carried out twice, once in 2012 &
2016
4. Attackers
● Cutting Sword of Justice
● Have not been caught or identified
● Sent a phishing email that contained a bad link
which allowed the hackers to gain access
5. Target
● Saudi Arabian Oil Company, also known as Saudi
Aramco
● Have the 2 largest oil reserve in the world
○ Supply 10% of the world's oil
● 10.53 million barrels of oil per day
6. Vulnerability
● Admin passwords was already known
● Email contained malicious link
● Most staff was on holiday
● Windows User Access Control exploited
● Registry modified
● Network allowed worm to spread
7. Motivation
● Act of Cyber Activism
● Fed up with Al Saud Regime oppression against other
countries
● One theory is that the attacks are retaliatory measures
against the U.S. for:
○ Stuxnet, the U.S-Israeli backed malware that disrupted
Iran’s nuclear enrichment program
○ Payback for the severe U.S.-imposed sanctions that have
sent the Iranian economy into a tailspin.
8. Motivation Cont.
● The other theory suggests that the attack was highly
motivated by the “deep-wrath”, against the Saudi
Government because of:
● The Saudi government’s assistance to Sunni(denomination
of Islam) factions in Syria and Bahrain.
● The mistreatment of the Shiites(other denomination of
Islam) by Saudi Aramco.
9. Approach
● Shamoon used a destructive malware to wipe data from about
30,000 machines and prevented the machines from rebooting
● The worm-like malware that was used, corrupted files on a
compromised computer and it overwrote the Master Boot Record
(MBR) to make an effort to make the computer unusable
10. Approach Cont.
● At the time of the initial attack it was thought Shamoon was a
copycat attack that mimicked Wiper
● Three components that Shamoon has used were:
○ Dropper
○ Wiper
○ Reporter
11. Dropper
● Main area where the original infection starts (The main
component of the attack)
● How it works:
1. Copies itself onto the system and will drop files embedded
into resources
2. Also, make copies of itself on shared networks
3. Create a task to execute itself whenever Windows starts
12. Wiper
● Responsible for the destructive functionality of the threat that is
being placed
● How it works:
1. Deletes existing driver from certain locations and overwrites
them with another real driver
2. Then executed commands that collect file names, which gets
overwritten and becomes useless to the users
3. The MBR will get overwritten so that the computer can no
longer start
13. Reporter
● Reports infection data back to the attack
○ Ex: domain name, the number of files that
were overwritten, and the IP address of the
compromised computer
14. Shamoon 2.0 Approach
● The approach for Shamoon 2.0 is very similar, but the
technology is more advanced
● 90% of the original code used in Shamoon is being reused
○ But comes with a fully functional ransomware module
○ Common wiping functionality
○ Installs a legitimate-looking driver
● Dropper and Wiper are the same expect the final part of the
attack was completely automated
16. Outcome
● Aramco was forced to shut down corporate network
○ Trucks were turned away since electronic payment was
down
● The attack could have been much worse
○ No drops of oil
● Five months later a new secured computer network and an
expanded cyber security team was implemented
17. Prevent an attack and
Recovery
● Ensure privileges are given to the right people
● Email and web browsing is a huge vulnerability
● Don’t let your guard down
● Network firewall rules
● 3,2,1 backup rule
● Access internal threats
19. Conclusion
● Wakeup call for Saudi Arabian Oil Company
● Attacker was able to gain access, read, and destroy data
● Took 5 months to fully recover
20. References
Alelyani, S., & Kumar, H. (n.d.). Overview of Cyberattack on Saudi Organizations. Retrieved from
https://journals.nauss.edu.sa/index.php/JISCR/article/view/455
Case, D. U. (2016). Analysis of the cyber attack on the Ukrainian power grid.
Electricity Information Sharing and Analysis Center (E-ISAC).
Mills, E. (2018). Saudi Oil firm says 30,000 computers hit by virus. Retrieved from
https://www.cnet.com/news/saudi-oil-firm-says-30000-computers-hit-by-virus/
Pagliery, J. (2015, August 5). The inside story of the biggest hack in history. Retrieved November 5,
2018, from https://money.cnn.com/2015/08/05/technology/aramco-hack /index.html
Perlroth, N. (2012, October 24). In Cyberattack on Saudi Firm, U.S. Sees Iran Firing Back.
Retrieved November 13, 2018, from
https://www.nytimes.com/2012/10/24/business/global/cyberattack-on-saudi-oil-firm-disquiets-
us.html
Saudi Arabia Crude Oil Production:. (n.d.). Retrieved November 12, 2018, from
