The Gulf could soon witness another wave of cyberattacks amid soaring tensions in the region, and security experts are warning enterprises to take precautions.
Saudi Arabian authorities a week ago reported that data-wiping malware dubbed “DUSTMAN” hit a regional enterprise, later reported to be Bapco, Bahrain’s national oil company. The malware was based on prior data-wipers that have been linked to Iran-based, nation-state actors.
DUSTMAN was “detonated” on Dec. 29, according to Saudi Arabia’s National Cybersecurity Authority (NCSC). That was before top Iranian military commander Qasem Soleimani was killed in U.S. air strikes on Jan. 3. Though the DUSTMAN attack and the Soleimani killing were not related, Iran, which has warned of retaliation against the U.S., may resort to further cyberattacks that could involve the Gulf region, cybersecurity experts say.
The Middle Eastern country has a long history of launching cyberattacks against vital businesses in the Gulf and the U.S. In May and June last year for example, various hacking tools linked to Iran targeted transportation and shipping organizations based in Kuwait.
Security experts point to Iran
“I think Iran is the most likely actor to have sponsored the Dustman attack against Bapco … the strongest evidence linking Iran to the Bapco attack is its past willingness to perform network attacks against oil companies, specifically ones in Saudi Arabia,” said Jonathan Wrolstad, Symantec’s cyberthreat intelligence team lead.
The NCSC did not specify the DUSTMAN target, but ZDNet this week reported that it was Bapco, citing multiple sources. Bapco did not immediately respond to a CIO Middle East request for comment.
Symantec’s Wrolstad expects to see such attacks from Iran continue against targets in the Middle East, “especially those with symbolic value to Iran or those linked to regional rivals like Saudi Arabia and Israel.”
“Dustman is an evolution of a tool that was found only a few months ago and I would expect that Iran would continue to evolve its malware in order to keep it from being easily detected,” he said.
Data wipers are evolving
DUSTMAN has different characteristics than other Iran-linked malware that has been observed through the years, but there are similarities. For example, “Shamoon” malware variants, also linked to Iran, use the same third-party driver, “Eldos RawDisk,” according to the NCSC. And Shamoon bears similarities to ZeroCleare, another data-wiper linked to Iran, according to IBM’s X-Force security intelligence service.
Last month, IBM’S X-Force unit said, “According to our analysis, ZeroCleare was used to execute a destructive attack that affected organizations in the energy and industrial sectors in the Middle East. Based on the analysis of the malware and the attackers’ behavior, we suspect Iran-based nation state adversaries were involved to develop and deploy this new wiper.”
In addition, both DUSTMAN and ZeroCleare utilized a skeleton of the modified version of the Turla Driver Loader (TDL), according to the NCSC.
TDL, which is available on software development platform GitHub, is a driver loader designed to bypass Windows x64 Driver Signature Enforcement protections.
Security experts are warning enterprises in the region to ramp up precautions.
“The headline here is the malware itself, but it’s important to remember that the point of entry was an unpatched vulnerability,” said Tim Erlin, VP, product management and strategy at cybersecurity firm Tripwire. “It’s likely we’ll see more of this type of state-sponsored activity.”
Protect your enterprise with these measures
Jason Bevis, vice president of cybersecurity analytics firm Awake Security Labs, lays out a few simple tips for company executives to follow:
- Ensure external devices are patched and default credentials are removed. If two-factor authentication can be implemented, it should be on external-facing technology.
- In this case the antivirus (AV) software was used to push out the software across the enterprise. If there are systems with this capability such as AV or tools like Microsoft’s System Center Configuration Manager, these systems should be set up with two-factor authentication and locked down to specific user access wherever possible.
- For those companies that have detection and response technologies that allow them to hunt, they should be looking at Iran tactics, techniques and procedures (TTPs).
- Other actions include backing up VPN logs offline, and desktop backup to stores that have offline backups, among others.
In addition, the NCSC’s report on the DUSTMAN attack has more detailed technical instructions on how to protect against cyberattacks.
“The incident at Bapco demonstrates that we are in an arms race between attackers and defenders in the energy sector with destructive malware,” Caleb Barlow, CEO of cybersecurity consulting firm CynergisTek told CIO.
“The challenge is that outside of the energy sector and outside of the Middle East, companies have not prepared for a destructive cyberattack where entire systems are destroyed and there is no ransom to be paid to get your data back,” he added.