Posted by Robert Vamosi on December 1, 2016
The data on thousands of computers at the headquarters of the General Authority of Civil Aviation in Saudi Arabia was erased starting in mid-November by malware from “outside the country,” according to a state report.
On Thursday, the state-run Saudi Press Agency confirmed that a series of attacks on government systems, especially the transportation sector. The attacks were aimed at halting operations, stealing data and planting viruses, the news agency reported.
Citing anonymous sources, Bloomberg, reported that evidence suggests the attacks emanated from Iran. “So far, investigators have found no evidence to suggest a country other than Iran was involved in the attacks, the people briefed on the probe say,” Bloomberg wrote. “However, it’s also possible that attacks of these kind can be mimicked to make them look like they come from a particular country.”
Dimitri Alperovitch at Cloudstrike wrote in a company blog how the current attack in Saudi Arabia echoed an attack on the oil and gas industry in 2012. Known as Shamoon, it cost the energy industry millions by erasing data collected from oil platforms in the Middle East. Both Saudi Arabia and Iran were affected by the malware.
“This new variant of Shamoon kept many of its original tactics, down to the commercial raw disk ElDos driver that was used for disk wiping (including the original trial license key for this driver) that had been used in the original attacks,” Alperovith wrote. “That ElDos trial key was only valid for 30 days and expired by September 2012. In order to continue to use the key, the wiper now has to reset the Windows system clock back to August 2012 to manipulate the license validation process.”