Oil and gas companies within the Middle East and Russia have once again been targeted and attacked by various strains of malware. One of the strains appears to be the third version of the Shamoon worm that ran rampant in 2016, and the other one is known as Seedworm, named after the cyber espionage group that created it.
Shamoon was built as a master boot record eraser that infected Windows® based machines so that once exploited they could not reboot once turned off. Back in 2016, Shamoon spread by using a list of hostnames taken directly from the Active Directory of a compromised host. Version 3 has discarded this method of infection and follows in the footsteps of WannaCry and NotPetya, propagating over compromised networks using the Server Message Block protocol within Windows. 300 servers and 100 personal computers out of a total of 4000 machines have been crippled in the attack against Italian oil and gas contractor Saipem. Luckily no data was lost due to the company backing up their systems, proving the importance of having proper disaster recovery policies in place.
Seedworm has infiltrated more than 30 organizations already, with most of the targets within the Middle East and Russia. Telecommunications and IT services were the main targets due to the fact that agencies could provide the hackers with additional targets to attack, but the second target were businesses in the oil and gas industry. Seedworm uses a tool called Powermud, a custom made script that allows the threat actors to evade detection in systems that Seedworm compromises. Once compromised, Seedworm executes a payload that scans through web browsers and email to steal credentials, giving researchers the opinion that gaining access to victim personal information is the hacker group’s primary goal. Seedworm, also known as MuddWater or Zagos, is well known for constantly changing tactics. By relying on public tools available on repositories such as GitHub allows the group to quickly update and alter operations through only applying small changes to the code.
The security of the gas and oil industries is essential to maintain stability in the nation’s critical infrastructure. As more and more malware strains become increasingly sophisticated in their execution, so should the enforcement of the policies and procedures to defend against them. With the digitization of the industry, over 50 percent of the managers responsible for the protection of the industry have said they are more vulnerable to cyber attacks then ever before.