Delaware, USA – January 9, 2020 – Iranian APT group used the new data wiper to attack computer systems of the Bahraini national oil company Bapco. According to the National Cybersecurity Authority of Saudi Arabia, the cyberattack was carried out on December 29, but the adversaries managed to infect only part of the Bapco computer network, and the oil company didn’t interrupt its operations. Adversaries used a new malware called Dustman to delete data on infected computers. According to CNA’s security alert, Dustman is an updated and improved version of the ZeroCleare wiper, which in turn is based on Shamoon malware that was used against oil and gas companies in the Middle East.
A common component of all three malware pieces is the legitimate EldoS RawDisk toolkit for interacting with files, disks, and partitions. Data wipers use different exploits and ways to elevate privileges to the administrator level, after which they unpack and run the EldoS RawDisk utility to erase data on infected hosts. However, Dustman has some differences from other wipers. All necessary loaders and drivers are delivered in a single executable and it overwrites the volume. Instead, ZeroCleare consists of two files and destroys systems by overwriting volume with junk data.
Attackers exploited remote code execution vulnerabilities in the company’s VPN appliance, which allowed them to penetrate the Bapco network. According to the report, the APT group allegedly initiated the data wiping process as a final attempt to hide traces after a series of mistakes made revealed their presence in the compromised network. Experts have not yet been able to determine which particular group was involved in the cyber attack. You can use VPN Security Monitor rule pack to detect signs of abuse or unauthorized access to the VPN service: https://my.socprime.com/en/integrations/vpn-security-monitor