Middle East organizations should prepare for the return of Shamoon
In August 2012, petroleum and natural gas company Saudi Aramco in Saudi Arabia was hit hard by the Shamoon virus (also known as Disttrack). This disk-wiping malware damaged 35,000 computers at the company at that time.
Recent reports from media and security firms suggest Shamoon is back for a second run in the Middle East.
These reports suggest that Shamoon 2 was used to, again, target organizations in Saudi Arabia. Among them is the General Authority of Civil Aviation (GACA). As in 2012, the Disttrack malware – that some experts attribute to Iran – starts wiping infected systems at a specified time in an automated way, causing a lot of damage. The 2012 attacks targeted master boot records of computers and replaced them with an image of a burning US flag. The recent attacks used a photo of the body of Alan Kurdi, the three year-old Syrian refugee who drowned in the Mediterranean in 2015.
Low hanging fruit
As with most malware, it is hard to say how long systems have been infected. Malware such as Shamoon can hide itself for longer periods of time and wait for the right time to attack. It enters networks through malicious emails, websites or stolen credentials. Attacks initially focus on low hanging fruit: office employees that are constantly exchanging information inside and outside the company, using the internet and sending and receiving files via email. This is a security officer’s nightmare and a hacker’s dream. Despite security awareness programs and the use of a wide array of security technologies, the office worker is the weakest link and the gateway for an attacker to an entire company’s network.
Importance of ICS
This is especially risky when all company networks are interconnected, which today is in most cases a standard practice. This allows an attacker to not only affect supporting processes such as finance, HR or planning but also primary processes that are supported by Industrial Control Systems (ICS). Obviously, supporting processes are key for any company and any disruption will have a substantial impact. Therefore, a high level of security is crucial. This includes all the traditional security technologies such as IPS, IDS, firewalls and more recent means such as continuous advanced monitoring and analytics.
Raise the bar
However, for Industrial Control Systems the bar should (and can) be set higher. Companies (and society in general) heavily depend on the correct and uninterrupted functioning of these systems. At the end of the day ICS relies on network connected desktops, laptops and servers. The general increase in connectivity has opened the door for abuse of critical infrastructures by people with malicious intent. So far, the only effective way to protect these systems has been to disconnect critical systems. New solutions, such as the Fox DataDiode provide a one-way data valve for networks. Critical Infrastructure organizations can enjoy the benefits of OT/IT integration while preventing cyber-attacks directed at a company’s ICS/SCAD to use the IT/OT network connection.
The Fox DataDiode solution is a network device that enforces one-way traffic on a specific connection. The unidirectional property is assured on the physical layer only, leaving no room for mistakes or misconfigurations, either intentional or accidental. The challenge is that almost all protocols require two-way communication. Therefore, the Fox DataDiode is equipped with proxies that convert all sorts of network traffic in a proprietary, reliable unidirectional protocol and vice-versa. For example, Modbus, DNP3, IEC or OPC data is received by the proxy on the ICS network, and transmitted to the proxy on the corporate network where it is propagated or made available. This way, the Fox DataDiode integrates transparently in any infrastructure while providing unsurpassed levels of security.
Find a reliable partner
The challenges in the security arena are continuously growing. Keeping up with developments is no easy task, for any company. More and more, organizations turn to a specialized partner with the knowledge and expertise to advise on the best services and processes.
For more information about the Fox-IT partners.