The email contains a link that downloads a .doc document. This, if opened, contacts a link that downloads a DLL that infects the PC with malware.
Saipem confirmed that has been hit by cyber attacks using a Shamoon (aka DistTrack) variant. The Italian company: No data or revenue will be lost
It’s confirmed, the Italian company Saipem has been hit by a variant of the notorious Shamoon malware (aka DistTrack). “The cyber attack hit servers based in the Middle East, India, Aberdeen and in a limited way Italy through a variant of Shamoon malware,” the company said in a statement on Wednesday. Work is under way “in a gradual and controlled manner” to fully restore operations after the attack, it said. According to Reuters, the attack crippled between 300 and 400 servers and up to 100 personal computers out of a total of about 4,000 Saipem machines. No data will be lost because the company had backed up the affected computers and, according to Saipem, there will be no impact on the group’s revenue.
The cyber security experts: The malware version used in the attack against the Italian company is anomalus
The version of Shamoon used to launch cyber attacks against Saipem is anomalous. First of all, the list of command and control servers (C2) is “white”. This, according to Chronicle cyber security experts, could mean that malicious hackers may have manually installed the malware. Furthermore, in the past this replaced all the files with images of political significance. The latest version of DistTrack, on the other hand, encodes them irreversibly. Finally, pre-programmed credentials are also missing. Moreover, the analysts found that it’s upload on VirusTotal from Italy happened last week. But the malicious code was setted to detonate on December 7 2017.
At the moment there is no attribution for the aggression to Saipem. But many suspect that Iran could be behind it. It could be a full warning to Italy, in case the country would decides to adopt the new US sanctions
At the moment there are no attributions for the cyber attack against Saipem. But many cyber security specialists think that the author could be Iran. This could be a full warning to Italy, in case the country would decides to adopt the new US sanctions against Tehran. However the previous cyber attacks with Shamoon targeted competitor of Iran in Middle East in the energy sector. Especially oil. The malware, in fact, according to Security Affairs, was first detected in 2012 when it infected more than 30,000 Saudi Arabian Aramco and other oil companies in the Region. Four years later its second version appeared. This was involved in cyber attacks against various organizations in the area, including the General Authority of Civil Aviation (GACA) of Riyadh. Finally, a further variant was discovered by the cyber security researchers of Palo Alto Networks in January 2017.