A week after Saudi Aramco's announcement that they had been the target of a destructive attack on the fifteenth, the picture is clearer than it was even a few days ago, and what is in the picture is uglier than the previous month's worst-case discussion would have suggested. The malware — Symantec are calling it W32.Disttrack, Kaspersky are calling it Shamoon — wiped approximately thirty thousand workstations at Aramco, overwrote files on each, destroyed the master boot record so that the workstations would not boot, and left the company's office IT environment essentially offline for two weeks while emergency rebuild work has been done. The group claiming responsibility is calling itself the Cutting Sword of Justice. The political-cyber attribution is unsettled — there is anonymous Iran-related speculation circulating in the US press, and the Cutting Sword's Pastebin statement frames the operation as retaliation for Aramco's role in maintaining the al-Saud regime — but the technical analysis is clearer.
The interesting thing about Shamoon is that it is a wiper rather than an exfiltration tool. Most of the substantive malware I have been writing about for the past three years has been concerned with stealing data quietly: Aurora, Duqu, Flame. Shamoon is concerned with destruction. The payload overwrites files on the infected hosts with junk content, then destroys the MBR so the host cannot boot. The recovery is per-host reimaging, which is what makes the thirty-thousand-workstation figure so painful operationally — Aramco has had to re-image thirty thousand machines, restore data from backup where backup existed, and rebuild from scratch where it did not. The operation took nearly two weeks. The cost to Aramco's office productivity is substantial; the cost to the company's reputation in the region is, on present evidence, larger.
The technical detail that interests me most is the use of the EldoS RawDisk driver for the destructive payload. RawDisk is a legitimate commercial product designed to provide raw disk access to Windows applications, primarily for backup and forensic-imaging purposes. The Shamoon authors signed their copy of the RawDisk driver with what appears to be a stolen but legitimately-issued code-signing certificate, allowing the driver to load on victim systems and bypass the kernel-mode restrictions that would otherwise prevent direct disk overwrite. The pattern is structurally similar to what Stuxnet and Flame have done with code-signing — the attacker obtains either a stolen certificate or a fraudulently-issued one, signs the kernel-mode component, and gets it loaded by victim machines. The defensive answer, as with the Flame Microsoft-Update angle, is that code-signing-based trust is meaningfully weaker against motivated attackers than the controls frameworks have been treating it as.
The initial infection vector at Aramco is, as of this writing, not publicly confirmed. The most plausible reading from what is in the press is that an insider — either co-opted, threatened, or compromised — provided either physical or remote access that allowed the malware to be deployed onto the corporate network and then propagate from there. The thirty-thousand-host scope suggests the propagation was deliberate and rapid; the malware contains no self-replication mechanism, which means each infected host was reached through a coordinated push from somewhere central. This implies either a compromised administrative account on the Aramco network or an insider with appropriate privileges, and the absence of public attribution to a particular employee suggests the investigation is ongoing.
The structural lesson for the Hedgehog SOC build I have been writing detection content for is that the destructive-malware category needs explicit treatment in the detection scope. The previous threat model was concerned with exfiltration; Shamoon is the demonstration that the destructive variant of the same operational shape is now being used at substantial scale by a politically-motivated actor (whoever is actually behind Cutting Sword of Justice). The detection signals are different from the exfiltration case — there is no outbound exfiltration to detect, but there are pre-destruction indicators in the form of the wiping process itself, the disk-write patterns, the kernel-driver loading, the central command-and-control to coordinate the simultaneous wipe across thousands of hosts. The SOC content for the destructive-malware case is being added this week.
For the engagements with industrial-or-OT exposure or with substantial dependency on continuous IT operations — Northcott, two of the Hedgehog clients with manufacturing components, the Browne Jacobson IT department which is now in the slightly uncomfortable position of being asked "could thirty thousand of our hosts disappear in an afternoon" — the post-Shamoon conversation has been a different conversation from the post-Flame one. Flame was about quiet surveillance; Shamoon is about loud destruction. The defensive response is different. The backup-and-restore infrastructure, the imaging-and-reimaging capacity, the administrative-account compromise detection, the segmentation between the office IT and the operational IT — all of these matter in a way that they did not need to matter when the threat was quiet exfiltration.
The piece I am thinking about more is what Shamoon tells us about the broader threat-actor space. State-grade or state-adjacent actors using destructive malware against private-sector targets in the energy sector is a shape of operation that has not previously been demonstrated at this scale. The previous reasoning had been that destructive operations would be reserved for state-on-state cyber conflict (the Stuxnet shape) and that private-sector targets would be subjected to surveillance rather than destruction. Shamoon argues against that distinction. Whether the next destructive incident is at another oil-and-gas operator, at a financial institution, at a media company, or at something else entirely is the question I do not yet have a confident answer to.
The next post is likely the Hedgehog SOC operational update — the first monitoring engagement starts next week and there are some structural things worth writing about how the build is going — or whatever falls out of the rumoured RasGas incident that started this week and which is shaping up to be a Shamoon copycat.