Delaware, USA – December 14, 2018 – The details on the cyber attack targeted Saipem, which happened last weekend, have become known. The data-wiping attack on the Italian oil and gas company mainly affected servers in the Middle East, but it also made inoperative assets in Italy, India and Scotland. Undefined cybercriminals used a new version of Shamoon malware, which destroys the data overwriting original files with a random set of data to disguise their attack as ransomware outbreak. The first attack using Shamoon occurred in 2012, it was targeted at Saudi Aramco and had devastating consequences: adversaries erased data on more than 35,000 systems, and the company returned to normal operations only after a few weeks. As a result of the latest incident, more than 300 servers and up to 100 computers in Saipem’s network were infected. Internal systems for controlling industrial equipment were not impacted, and the company is currently working on restoring its activity.
Unlike previous versions of Shamoon, the new sample does not use the list of SMB credentials for self-propagation; therefore the most likely way of infection is compromising of the Remote Desktop Protocol. Researchers believe that after the initial hacking, attackers used Mimikatz-like tool to dump SMB credentials and then create specific malware sample for this attack. To uncover unauthorized access to the company’s network, you can use VPN Security Monitor rule pack that provides visualization of the remote access service and detects typical signs of abuse. Also, you can leverage Mimikatz Defence Framework to identify usage of dumped credentials.