This follows other similar attacks believed to have been carried out by Iran in an attempt to wipe potentially important information from the targeted Saudi network
Jukebox 10 Jan 2020 0
The National Cybersecurity Authority (NCA) in Saudi Arabia has recently shared that it has discovered some new data-wiping malware which they suspect originates from Iran.
This follows closely the war tensions reported between Iran and the United States in the wake of an unexpected drone attack initiated by the United States which resulted in the death of a respected Iranian army commander, Qassem Soleimani.
The Authority shared that the attack was noticed not long after it was deployed on the 29th of December and was targeted against an unnamed victim. They concur that it appeared to be a rushed job and believe that the attackers behind it were doing so with extreme urgency, making mistakes in the process and leaving behind a trail which aided the authority to identify their footprint.
The malware, which was called “Dustman” was intended to wipe out data as seen in a similar malware once discovered by IBM who attributed it to a hacking group called APT34affiliated with the Iranian government. This malware was used to attack industrial organisations in the Middle East last year.
The malware was used to wipe data from the targeted networks and was suspected to be the work of Iranian hackers
Cybersecurity Researcher and Vice President of Intelligence at CrowdStrike, Adam Meyers noted that the Dustman malware bore great similarity with another used in an attacked on Saudi Aramco in 2012.
[The Dustman malware] is consistent with Iranian capability and operations going back to 2012. It’s the latest variant in a line of wiping tools that’s meant to cause data disruption and destruction. This is part of the likely retaliatory package that is being considered by Iran. They understand the asymmetric power of cyber operations.
He drew comparisons between the Iranian’s suspected attacks and that of the activities of Russian hackers and concluded that they were similar in that they were intended to intimidate its targets. He said, “It’s meant to have a psychological impact on the target.”
The Saudi Authority in their quest to identify how the hacking group gained access to their system, said that they believed the group hijacked the target by accessing a vulnerability in a known VPN application. Once in there, they gained access into the administrative accounts and so launched the malware.
They claim that the Dustman malware,
Was compiled, possibly on the threat actor infrastructure, [a] few minutes before deploying it on the victim’s network. This is inconsistent with known destructive attacks as they [are] usually tested before being deployed.
A memo drafted by the Saudis and shared in light of this attack suggested that while they were not attributing the attack to any specific group, they believed it was a state-sponsored attack.
It is line with the previous activities we saw from groups attributed to Iran. Yet the damage has been limited compared to previous years due to NCA’s heavy involvement with the target at early stages.