A late December malware attack on Bapco, the national oil company of Bahrain, has been linked to state-sponsored hackers from Iran. The data wiper malware did not appear to have much of an impact on the company, but is another in a pattern of attacks of this nature coming out of the embattled Gulf nation.
The persistent threat of Iran’s new data wiper
Bapco was attacked on December 29. The attack was detected shortly afterward by Saudi Arabia’s National Cybersecurity Authority, who published a warning about it, but the public was not made aware that Bapco was the target until January 9. Bapco employees discovered the attack on December 30 when they came in to work.
The malware attack appears to have been successful, though rather limited in the overall damage it caused. The hackers gained access to the Bapco network and were able to load the data wiper into the central anti-virus software, from where it was distributed to all machines. However, it did not run properly on some machines leaving them unscathed. This also left the evidence pointing to the attackers and the type of malware used.
Impacted systems booted to the Windows “blue screen of death” seen as it automatically attempts to restore the operating system from a backup. The company apparently did not suffer significant downtime as a result of the malware attack.
The attack likely had nothing to do with current tensions with the United States. Iranian hackers have long been known to attack foreign oil and gas companies and attempt to wipe their files; their goals are to steal confidential information and do damage to competing companies. Iran particularly focuses on companies in Saudi Arabia, with whom they have a political and cultural rivalry in addition to economic competition. A signature of such attacks is that the Iranian hackers are often quite content to simply execute a data wiper attack on an industry rival without any more complex snooping or data exfiltration.
In recent years, these malware attacks from state-backed Iranian hackers tended to use either the Shamoon or ZeroCleare malware. This recent attack was the first sighting of a new strain called Dustman, which the Saudi security researchers say is a more advanced evolution of ZeroCleare (which was in turn built from Shamoon). Dustman is different from previous iterations in that it overwrites volumes rather than wiping them with garbage data, and in that it requires only one executable file to deliver its full payload.
Saudi security experts believe that Bapco was originally compromised through its VPN servers in the summer of 2019, as part of a wave of exploits of remote execution bugs found in high-end commercial servers from companies like Palo Alto Networks and Fortinet.
It is unclear as to which Iranian hacking team deployed Dustman, but the IBM X-Force Incident Response and Intelligence Services (IRIS) team believes that APT34 or Hive0081 are the most likely culprits. Hive0081 are the creators of ZeroCleare and are linked to a series of attacks in the Middle East in 2019, and APT34 dates back to 2014 and is notorious for targeting individuals with malware documents passed via fake business pages on LinkedIn.
A brief history of Iran’s malware attacks
The use of data wipers has been a known Iranian hacker strategy for nearly 10 years now.
This type of malware attack dates back to the 2012 cyber attack on Saudi Aramco, which took out about 75% of the oil giant’s PCs. This was the first appearance of the Shamoon malware, and also established an Iranian hacker practice of trying to hide their identity behind that of a fictional activist group. It also set the pattern of quietly breaking into the target’s systems weeks or months into advance, and then triggering the data wiper at some sort of advantageous or symbolic time – in this case, on the morning of a major Islamic holiday.
Roger A. Grimes, Data-Driven Defense Evangelist for KnowBe4, provided some firsthand insight from the initial appearance of data wipers:
“The lack of utter devastation this time around should be counted as a major computer defense success. The 2012 Disttrack attack against Saudi Aramco, which devastated that company and put all of Saudi Arabia on it’s heels for half a year, led to the better successful defense of Bahrain. The Saudi Aramco attack changed everything for that part of the world. Before the Saudi Aramco attack, Middle East computer security was worse than poor. It was almost non-existent. But losing 32,000 computers, servers and workstations, in one of the world’s first nation-state attacks and the shutting down of the number one wealth producer for the country has a way of creating focus. Saudi Arabia and its allies, including Bahrain, realized that status quo wouldn’t work anymore, and they worked very hard to come up to speed. I was working at Microsoft at the time of the Disstrack attack and Saudi Arabia sent over dozens of IT security envoys to work hand and hand with some of America’s best (and most attacked) companies to learn how to come up to speed with better computer security as quickly as possible. It was a major investment…maybe one of the biggest investments ever in their future. And looking at this latest story, it seems like a success. You can’t stop every attack, but it certainly wasn’t as bad as the past attacks. It was more of a hiccup in the sand this time. Kudos to the Middle East for what they accomplished. There should be at least some smiles and handshakes going on while they are also trying to fix what still went wrong and the lessons learned.”
More malware attacks and evolutions of the data wiper would follow. Shamoon went through several versions as it was used in similar destructive attacks on RasGas of Qatar and Saipem of Italy among other industry targets.
The ZeroCleare wiper was first seen in 2019. An X Force IRIS report published in December indicated that it had been seen in a significant amount of destructive malware attacks on oil companies in the latter half of the year. The IBM team declined to name specific targets but did indicate it was used throughout the Middle East.
How can organizations protect themselves from data wiping malware?
Iran’s focus is on geopolitical and oil industry rivals, but it’s likely these tools and methods will be adopted by other threat actors. APT34 itself was hacked early in 2019, and a number of the hacking group’s tools were leaked.
As Tal Zamir, Founder and CTO of Hysolate, points out:
“Destructive malware had become a “commodity” available not just to nation-state actors like Iran, but also to any determined cybercriminal. The weakest link of humans using vulnerable endpoint operating systems (like Windows) makes it easy to launch destructive malware to disrupt business and government operations for days or weeks. Typically, this malware wipes user devices so that users cannot access applications and data required for their work. It can also leverage user devices to do harm to files on network shares, data stored on cloud services, etc.
“Organizations should look for comprehensive ways to prevent such malware from infecting user devices and to ensure they have a disaster recovery plan not just for their data on the cloud but also to the OS, data, and applications running locally on endpoints. This can be achieved by applying methods like endpoint OS isolation, air gapping sensitive assets, and providing users with an instant method to revert endpoints to a working snapshot.”
And Tim Erlin, VP product management and strategy at Tripwire, commented on the initial VPN breach that opened the door for the data wiper attack:
“The headline here is the malware itself, but it’s important to remember that the point of entry was an unpatched vulnerability. Prevention is the preferred method of malware defense.
“It’s likely we’ll see more of this type of state-sponsored activity. I wouldn’t expect this is the last we’ll hear about the Dustman malware.