It is being reported thata new variant of the Shamoon malwarewas discovered on the network of Italian oil and gas contractor Saipem, where it destroyed files on about ten percent of the company’s PC fleet. The vast majority of the affected systems were located in the Middle East, where Saipem does a vast majority of its business, but infections were also reported in India, Italy, and Scotland.
Experts Comments below:
Andrew van der Stock, Senior Principal Consultant atSynopsys:
“The resurgence of the Shamoon wiper should remind all IT Executives and Directors of the critical importance of the basics of infosec security hygiene – such as the Australian Cyber Security Centre’s “Essential 8,” which starts with application whitelisting – an essential control which would have prevented this attack, automated patching, application hardening, restricting admin privileges, and multi-factor authentication. In this case, the victim had backups to recover service, but the reality is that this attack might have been prevented if such basic precautions were in place for the majority of users.”
Thomas Richards, Associate Principal Consultant atSynopsys:
“The initial entry point is of interest. With the recent releases of breaches involving passwords, it is a possibility that an employee used the same password in multiple locations which led to the attacker’s ability to compromise Saipem. The Shamoon attack could also be predicated by a phishing campaign or other credential compromising event. This attack is most likely perpetrated by an advanced threat actor who was specifically targeting Saipem.Employers should state in their password policy that employees should not reuse corporate passwords on other systems. Additionally, if an employee receives a suspicious email they should report it to their IT security group immediately.”