Flags of Fire, Silenced Oil Fields Swords of Justice and the Shamoon Raid, August 2012

Flags of Fire, Silenced Oil Fields Swords of Justice and the Shamoon Raid, August 2012

In August 2012, an unprecedented large-scale cyber attack was launched against Saudi Arabia's state-owned oil company, Saudi Aramco. The hacker group that came forward to carry out this attack was named Cutting Sword of Justice. They claimed to have carried out the attack in retaliation for the Saudi government's oppression of the Shiite population and human rights abuses in the Middle East, and their statement was posted on online forums and on Pastebin.

The attack used a destructive malware called Shamoon. Shamoon is very sophisticated in design and consists of three main components. The first is the Dropper, the main body of malware that serves as the starting point for infection. Once inside the system, the Dropper gains administrative privileges and deploys the other two components. The Dropper also uses hard-coded network credentials to spread the infection to other PCs in the local network.

The second component, Wiper, serves the central function of Shamoon. It overwrites files in the infected PC one by one, eventually destroying the Master Boot Record (MBR) and rendering it unbootable. File deletion is performed sector by sector with zero writes and nonsensical pattern insertions that are difficult to recover. The destroyed PCs were crafted to display an image of a burning American flag instead of the normal Windows OS after rebooting. This was staged to visually emphasize the political intent.

The third component, Reporter, is responsible for reporting the progress of the infection and the success or failure of the operation to the attacker's C2 server. Shamoon also includes a timer function that automatically triggers at a specific time, and was designed to launch the attack simultaneously at 11:00 p.m. on August 15, 2012. As a result, approximately 30,000 Saudi Aramco PCs were destroyed simultaneously, and it took several weeks to recover them. The estimated damage was in the hundreds of millions of dollars.

This incident showed the world that a nation's critical infrastructure is extremely vulnerable to cyber attacks, and symbolized the arrival of the era of cyber warfare. While it is not clear whether the Sword of Justice was a real, independent group of hackers or a state-sponsored cover name, many U.S. intelligence officials and experts suspect the involvement of the Iranian government, particularly the Iranian Revolutionary Guard Corps.

Against this background, there are many other state-sponsored hacker groups in Iran. APT33 (Elfin), for example, is known for its espionage activities against the aerospace and energy industries; APT34 (Oil Rig) targets financial institutions and government organizations, using custom malware to steal sensitive information; APT35 (Charming Kitten) uses social networking and fake APT35 (Charming Kitten) uses social networking and fake news sites to launch targeted attacks against human rights activists, academics, diplomats, and others. TortoiseShell (TortoiseShell) uses malware on recruiting websites to lure targets, while StaticKitung (FoxKitung) exploits vulnerabilities in VPNs and security equipment to infiltrate internal networks.

What these activities have in common is that they are not limited to mere information gathering, but have political and strategic objectives that are directly related to the offensive and defense between nations in cyberspace. The emergence of destructive malware such as Shamoon demonstrates that cyber attacks are no longer just about causing temporary disruption, but are now used as a weapon to inflict serious damage to a nation's economy and security. Shamoon has since been improved upon and new versions such as Shamoon 2 (2016) and Shamoon 3 (2018) have been discovered and continue to pose a serious threat to infrastructure in the Middle East region.