Iranian hackers' latest data-wiping malware hits Bahrain's oil industry Watch Now

Special feature Special report: A winning strategy for cybersecurity (free PDF) This ebook, based on the latest ZDNet/TechRepublic special feature, offers a detailed look at how to build risk management policies to protect your critical digital assets. Read More

Iranian state-sponsored hackers have deployed a new strain of data-wiping malware on the network of Bapco, Bahrain's national oil company, ZDNet has learned from multiple sources.

The incident took place on December 29. The attack did not have the long-lasting effect hackers might have wanted, as only a portion of Bapco's computer fleet was impacted, with the company continuing to operate after the malware's detonation.

ZDNet has learned from several sources that the Bapco incident is the cyber-attack described in a security alert published last week by Saudi Arabia's National Cybersecurity Authority. Saudi officials sent the alert to local companies active on the energy market, in an attempt to warn of impending attacks, and urging companies to secure their networks.

The Bapco security incident came to light amid rising political tensions between the US and Iran after the US military killed a top Iranian military general in a drone strike last week.

Although the Bapco incident doesn't appear to be connected to the current US-Iranian political tensions, it does come to show Iran's advanced technical capabilities when it comes to launching destructive cyber-attacks -- something about which the US Department of Homeland Security had warned in an alert published over the weekend.

The Dustman malware

At the heart of the recent Bapco attack is a new strain of malware named Dustman. According to an analysis by Saudi Arabia's cyber-security agency, Dustman is a so-called data wiper -- malware designed to delete data on infected computers, once launched into execution.

Dustman represents the third different data-wiping malware linked to the Tehran regime. Iranian state-backed hackers have a long history of developing data-wiping malware.

Iran's foray into data-wiping malware goes back to 2012 when they developed Shamoon (also known as Disttrack), a piece of malware that was responsible for wiping more than 32,000 PCs at the Saudi Aramco oil company in Saudi Arabia, in one of the world's most infamous cyber-attacks.

Two more Shamoon versions were discovered in the following years, Shamoon v2 (used in 2016 and 2017) and Shamoon v3 (used in 2018 and 2019).

According to a report published by IBM X-Force, Iranian hackers are also linked to data-wiping attacks with a second different malware strain named ZeroCleare, first discovered in the wild in September 2019.

Per Saudi CNA officials, Dustman appears to be an upgraded and more advanced version of the ZeroCleare wiper that was discovered last fall -- which, in turn, had multiple code similarities with the original Shamoon.

The main shared component between all three strains is EldoS RawDisk, a legitimate software toolkit for interacting with files, disks, and partitions. The three malware strains use different exploits and techniques to elevate initial access to admin-level, from where they unpack and launch the EldoS RawDisk utility to wipe data on infected hosts.

Since Dustman is considered an evolved version of ZeroCleare, most of the code is the same, but Saudi CNA officials who analyzed the malware said Dustman comes with two important differences:

Dustman's destructive capability and all needed drivers and loaders are delivered in one executable file as opposed to two files, as was the case with ZeroCleare.

Dustman overwrites the volume, while ZeroCleare wipes a volume by overwriting it with garbage data (0x55)

Bapco targeting

Sources tell ZDNet that the targeting of Bapco with Dustman fits in the regular modus operandi of known Iranian state-sponsored hackers.

Historically, prior to the Dustman deployment on December 29, Iranian hackers used Shamoon and ZeroCleare exclusively against companies in the oil and gas field.

Past targets included companies with ties to the Saudi regime and Saudi Aramco, Saudi Arabia's national oil company. Iran and Saudi Arabia have had strained relations since the 1970s, due to differences in the interpretation of Islam, and because of their competition on the oil export market.

Bapco is a company fully owned by the Bahrain regime, a country that has had strained political relations with the Tehran regime, and which is a known business partner of Saudi Aramco.

How the attack took place

At the time of writing, Bapco appears to be the only victim of an attack with the Dustman malware, although this doesn't mean the malware was not deployed on the network of other targets.

According to the CNA report, attackers don't seem to have planned to deploy Dustman at the time they did, but appear to have triggered the data-wiping process as a last-ditch effort to hide forensic evidence after they made a series of mistakes that would have revealed their presence on the hacked network.

Sources who spoke with ZDNet on the condition of anonymity claimed the Bahrain company was compromised over the summer.

Saudi CNA officials, along with our sources, confirmed the point of entry was the company's VPN servers. The CNA report cites "remote execution vulnerabilities in a VPN appliance that was disclosed in July 2019" as the attackers' point of entry into Bapco's network

While officials didn't blame any specific appliance, they are most likely referring to a Devcore report published over the summer that disclosed remote execution bugs in a wealth of enterprise-grade VPN servers, such as those from Fortinet, Pulse Secure, and Palo Alto Networks.

Here is where our sources diverged. Some said hackers exploited a vulnerability in Pulse Secure servers, while others pointed the finger at Fortinet VPN servers.

A search with the BinaryEdge search engine shows that a part of the vpn.bapco.net network does, indeed, run on Fortinet VPN appliances. However, it may also be possible that Bapco ran Pulse Secure servers in the past, which it has taken down, in the meantime.

Either way, while our sources differed on the exact VPN server exploited in the attack, they did agree that this is where hackers broke in. According to the Saudi CNA report, hackers gained control over the VPN server, then escalated their access to the local domain controller.

We cite from the report:

The threat actor obtained domain admin and service accounts on the victim's network, which was used to run "DUSTMAN" malware on all of the victim's systems. The attacker utilized the anti-virus management console service account to distribute the malware across the network.

[...]

The threat actor accessed the victim's network and copied the malware and the remote execution tool "PSEXEC" into the anti-virus management console server, which was connected to all machines within the victim's network due to the nature of its functionality. Few minutes later, the attacker accessed the storage server of the victims and deleted all volumes manually.

The attackers then executed a set of commands on the anti-virus management control to distribute the malware to all connected machines, and through (PSEXEC) the malware executed and dropped (3) additional files, two drivers and the wiper. Most of the connected machines were wiped.

Image:Saudi Arabia CNA

Successful attacks resulted in all wiped systems showing a Blue Screen of Death (BSOD) message.

Image: Saudi Arabia CNO

According to Saudi officials, there was a sense of urgency in the attacker's actions. The reason for the urgency is unknown.

"DUSTMAN malware was compiled, possibly on the threat actor infrastructure, few minutes before deploying it on the victim's network," Saudi CNA officials said. "This is inconsistent with known destructive attacks as they [are] usually tested before being deployed."

However, this haste and lack of testing had an impact on the success of the wiping operation, and the malware didn't run properly on some systems.

Saudi officials believe the attackers noticed the failed wipes as well, as they attempted to remove Dustman artifacts from these systems, and then wiped access logs on the VPN server, before leaving the company's network.

Bapco officials learned of the attack on the next day, on December 30, when employees came to work. They traced back the attack and identified the Dustman malware because some workstations were in sleep mode at the time of the attack.

When these systems were started, they tried to execute the malware, but the antivirus (disabled at the time of the original attack) detected and prevented the attack.

Dustman malware samples have leaked online

One of these malware samples was uploaded on Hybrid-Analysis, an online sandbox analysis environment, on the same day the attack was discovered.

The files eventually made their way this week on VirusTotal and Twitter.

2019's wipers involved in Gulf events:

18c92f23b646eb85d67a890296000212091f930b1fe9e92033f123be3581a90f

f07b0c79a8c88a5760847226af277cf34ab5508394a58820db4db5a8d0340fc7

2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d



These are the VTI-available ones — Joe Slowik (@jfslowik) January 8, 2020

Security experts who spoke with ZDNet could not link the attack to a specific Iranian state-sponsored group, citing a lack of full visibility in the attack.

For context, McAfee linked the Shamoon attacks to an Iranian hacking group known as APT33, while IBM linked ZeroCleare to two groups -- xHunt and APT34.

Despite repeated attempts, Bapco officials did not respond to a request for comment.

The Saudi CNA report also contains mitigation advice for companies active in the oil and gas field, which would represent a target for attacks with the Dustman malware. Following the recent escalation in US-Iranian political tensions, US oil and gas companies are most likely on the board as well.