Iranian Data Wiper Strikes at Bahrain’s National Oil Company
Written by Karolis Liucveikis on
With tensions near the boiling point between Iran and the US, news feeds across the globe have been dominated by headlines. The InfoSec community was also stirring with opinion pieces relating to Iran capabilities in carrying out cyberattacks. However, Iranian state-sponsored hackers are now in the headlines for an incident that occurred on December 29, 2019. It is believed the above-mentioned hackers infected Bapco, Bahrain's national oil company, with a new data wiper.
Wipers, also known as data wipers, are specific pieces of malware specifically designed to destroy data. In the past state-sponsored groups have used wipers in an attempt to remove all trace they had compromised a network. According to a security alert issued by Saudi Arabia's National Cybersecurity Authority and linked by ZDNet the attack was not as successful as intended as only a section of Bapco’s network and connected work stations were affected. The alert was sent to local businesses within the energy sector to warn them of potential intrusion and infection. Given the release of the alert happening over the weekend and the date of the incident, it is important to note that this incident is not directly related to current Iranian and American tensions.
The particular malware seen in the Bapco incident has been named Dustman. This is the third wiper seen been used by groups associated with the Iranian government. Iranian state-sponsored groups began deploying wipers in 2012 when they developed Shamoon, also called Disstrack, which has seen a further two versions developed and deployed. The latter version has been used against Italian oil and gas companies and been seen in the wild up to 2019.
The second wiper seen deployed by Iranian hackers was analyzed by IBM, called ZeroCleare, in September 2019. Like with Shamoon before it, ZeroCleare is designed to overwrite the master boot record (MBR) and other disk partitions on Windows machines. As with Shamoon the later wiper also used Eldos RawDisk a legitimate toolkit used for interacting with disk partitions.
According to the Saudi authorities, Dustman is an upgraded and more advanced version of ZeroCleare. Dustman shows clear code similarities to both Shamoon and ZeroCleare, further all three share the use of RawDisk. According to the Saudi researcher's Dustman differs from ZeroCleare in two important ways. The first, Dustman’s destructive module and all needed drivers and loaders are delivered in one executable file as opposed to two files. The second, Dustman overwrites the volume, while ZeroCleare wipes a volume by overwriting it with garbage data.
DHS Warnings and Iran’s Cyber Attack Capabilities
While this incident is in all likelihood not linked to recent tensions, however, the tensions have brought into light questions as to Iran’s cyberattack capabilities. The discovery of the Dustman wiper serves to highlight the country's state-sponsored APT groups and their capabilities. Christopher Krebs, the director of the DHS’s Cybersecurity and Infrastructure Security Agency (CISA), took to Twitter to remind the InfoSec community and anybody else who would listen about the nation state’s cyber capabilities. In the post, Krebs linked to an earlier Department of Homeland Security (DHS) alert released in the summer of 2019.
Back in June of last year, Christopher Krebs stated,
“CISA is aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies. We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyber activity, share information, and take steps to keep America and our allies safe…Iranian regime actors and proxies are increasingly using destructive ‘wiper’ attacks, looking to do much more than just steal data and money. These efforts are often enabled through common tactics like spear phishing, password spraying, and credential stuffing. What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”
On Saturday the DHS issued another warning in the form of a National Terrorism Advisory System bulletin. These “Bulletins” describe current developments or general trends regarding terrorism threats, unlike “Elevated Alert” or “Imminent Alert” advisories, which describe credible threats or specific and impending threats against the U.S., respectively. In the bulletin it was further stated that,
“Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
In a scenario where heightened tensions threaten to destabilize an already unstable region further, Iran’s state-sponsored groups may receive new mandates and orders. Often Wipers were employed in the past against the oil and gas industry, as in with Dustman targeting Bapco, this can be deployed against other targets. In a recent article experts in the community were asked their opinion of Iran’s capability in retaliation for past events. Adam Meyers, VP of Intelligence at CrowdStrike, noted,
“CrowdStrike is closely monitoring the current escalating tensions in the Middle East in response to the killing of General Qassem Soleimani. While CrowdStrike is not reporting on a specific threat emanating from Iranian state-affiliated adversaries at this time, in line with previous assessments, CrowdStrike Intelligence believes that Iranian adversaries are likely to leverage a broad range of means, including cyber operations, against the U.S. and allied interests…Our current assessment is that organizations in the financial, defense, government, and oil and gas sectors are the most likely targets for retaliation activity. We are also monitoring for Distributed Denial of Service (DDoS) activity, as Iran has employed DDoS attacks in the past, as well as other tactics, such as ransomware activity.”
▼ Show Discussion