Posted: 3 Min ReadThreat Intelligence

Geopolitical Tensions May Increase Risk of Destructive Attacks

Organizations should exercise heightened vigilance as political tensions in the Middle East may increase risk of attacks by Iranian-sponsored groups.

The recent upsurge in tensions between the U.S. and Iran has led to fears about an increase in both the frequency and aggressiveness of Iranian-sponsored cyber attacks. Iran has an extensive track record in this sphere, with government-backed cyber threat groups conducting numerous offensive cyber operations in recent years, including a number of highly destructive wiper attacks. While an uptick in such attacks is not a certainty, it is a distinct possibility and organizations should exercise extreme vigilance.

The capabilities of Iranian actors have evolved rapidly in recent years, from quick and relatively simple destructive attacks, such as distributed denial‐of‐service (DDoS) attacks or website defacements, to an increased focus on network compromises where the actors maintain a persistent foothold and obfuscate their presence to make attribution difficult. Iranian groups have also increasingly targeted critical infrastructure including energy and telecommunications companies.

Destructive attacks

Attackers associated with Iran have periodically carried out highly destructive disk-wiping attacks against targets in the Middle East. Historically, these attacks tend to coincide with periods of heightened instability in the region.

Most of these destructive attacks have involved the Shamoon disk wiper (W32.Disttrack). Shamoon first emerged in 2012 , when it was used in attacks against the Saudi energy sector. It reappeared again in late 2016, when a slightly modified version (W32.Disttrack.B) was used in another wave of attacks against Saudi Arabia.

A third wave of attacks occurred in December 2018, when Shamoon was once again deployed against a range of targets in the Middle East. Unlike previous Shamoon attacks, these attacks involved a second piece of wiping malware (Trojan.Filerase). This malware deleted and overwrote files on the infected computer. Shamoon itself would meanwhile erase the master boot record (MBR) of the computer, rendering it unusable.

Recent months have also seen the emergence of two new wipers, which appear to be evolutions of the original Shamoon wiper. The first, known as ZeroCleare (Trojan.Zerocleare) appeared in June and July of 2019, while in January 2020, the National Cybersecurity Authority of Saudi Arabia released a report about a wiper malware they called Dustman. Dustman is a further evolution of ZeroCleare, where the authors optimized functionality into a single file instead of the way it worked in the June/July campaigns.

Means of access

While destructive attacks are an obvious source of concern, potential targets should be aware that the evidence available to date suggests that the Shamoon attackers may not have compromised their victims’ networks themselves. In the aftermath of the 2016 Shamoon attacks, Symantec found evidence that the Iran-linked Greenbug and Timberworm espionage groups may have provided access to the victims’ networks. The 2018 attacks had a tentative link to the Iranian Elfin group (aka APT33), with one victim in Saudi Arabia having been compromised by the group shortly before Shamoon struck.

With this in mind, any organization that finds indicators of compromise (IOCs) related to any Iran-linked espionage group on their network should exercise extreme vigilance. While destructive attacks remain a relative rarity, a prior intrusion does appear to be a necessary precursor. Aside from the aforementioned groups, other Iran-linked groups that are highly active at present include Chafer, Crambus (aka OilRig), and Seedworm.

Risk assessment

Given the recent history of attacks, it is evident that Iranian-sponsored groups consider destruction of equipment as an acceptable form of damage to targets. However, to date these incidents have only targeted Middle Eastern entities. Iranian actors have not yet shown an appetite for conducting similar attacks against organizations further afield. Considering the tense geopolitical climate in 2020 and based on previous Iranian activity, we believe cyber attacks originating from Iran or Iranian proxies would be (in order of descending probability):

  • Wipers being used for destructive attacks against critical infrastructure
  • Infrastructure for telecommunication providers being attacked to disrupt services
  • Hacktivist defacements of popular websites
  • DDoS attacks against financial entities

While Symantec has yet to see any evidence of a notable uptick in activity, this should not be misinterpreted, since planned operations could take some time to prepare and execute.

Organizations associated with the U.S. and its allies are an obvious target. While Iranian actors have, to date, heavily focused on organizations in the Middle East, attacks against the U.S. should not be ruled out, particularly considering the heightened state of tensions at present.

However, organizations based in the Middle East likely remain most at risk, given that Iranian groups know this region best and may already have ongoing compromises. Destructive attacks, such as those involving disk wipers, usually require some prior compromise of the organization’s network. This may mean that any potential destructive attacks could be focused on the Middle East, particularly if the attackers are under time pressure to retaliate.

Indicators of Compromise (IOCs)

Group IOC Description
Shamoon 89850b5f6e06db3965d0fdf8681bc6e55d3b572c97351190c247b9c8b1419850 Disttrack.B Wiper malware
Shamoon bac9503a28ef97ee5d77fc3caedbf4f61e975679212f5da7945e6063c1d8a88f Targeted malware
Shamoon bd2097055380b96c62f39e1160d260122551fa50d1eccdc70390958af56ac003 Disttrack.B Wiper malware
Dustman/ZeroCleare becb74a8a71a324c78625aa589e77631633d0f15af1473dfe34eca06e7ec6b86 Wiper malware (x64)
Dustman/ZeroCleare 2fc39463b6db44873c9c07724ac28b63cdd72f5863a4a7064883e3afdd141f8d Wiper malware (x86)
Dustman/ZeroCleare 36a4e35abf2217887e97041e3e0b17483aa4d2c1aee6feadd48ef448bf1b9e6c ElDos driver (x64)
Seedworm 7b4da8f9ffa435c689923b7245133ee032f99fcd841516f2e2275fb4b76d28f9 Xsxeon
Seedworm 36fc0a750d29ecf1d31ae3c7e834e548fe8eed25db62dfbdbf9148d896c13f59 Powermud.v2
Seedworm 5f2eac7251a9fc74309985b3dc1d9730f86c8cd95b22d16b04c0ad0521f10598 Powermud.v2
Seedworm 7b93b928bb9e41a7b890bc2ad559044fa39351d7f42a0bcb0ee1d2bb5def8e60 Powermud.v2
Seedworm f0c726c75a79e83ab24c6d6e04022974bd79d35ff4c3e0118e7707eedd7edea2 Lazagne
Seedworm 905e3f74e5dcca58cf6bb3afaec888a3d6cb7529b6e4974e417b2c8392929148 Downloader
Seedworm 148839e013fee10ee5007f80de2e169778739e84d1bbb093f69b56060ceef73f Downloader
Seedworm 18cfd4c853b4fb497f681ea393292aec798b65d53874d8018604068c30db5f41 Downloader
Seedworm 1d768c6a5165cadf39ac68e4cc294399f09b48dfefd7bfd6d78e75ad882cd3f1 Downloader
Seedworm 20ec56029ec2dc6a0f86d172f12914d078fc679a8d01257394864413d01d7eda Downloader
Seedworm 2f69f7df7a2ab7b1803bb50b23ac17f7047b4651513bdff98dae5adee492c98f Downloader
Seedworm 32c5d06a518a17daf825374449a5096e1109a1eb99c010bb2524b9b0ed6e3114 Downloader
Seedworm 4a2db2c017b44834bfab8bd7ba107750d77cd1e62db0b4892ab3c053b2d64fae Downloader
Seedworm 64001be2fc9ccec320d48c75d2de8ad7cd74092065cb44fe35b38624d4493df0 Downloader
Seedworm 7f31ab924bddc2f20697157f7cfa6ff25adfbbb50403052cccd05dc0e9faabc4 Downloader
Seedworm 905e3f74e5dcca58cf6bb3afaec888a3d6cb7529b6e4974e417b2c8392929148 Downloader
Chafer 1e94a1ca83123688215b64369a37162448a0f3927e3f0f4f412ee352db6abf5c Exemyr
Chafer fc74c58705f4d2f6241118b729d86e4610045418690d833de6b123d08d1f8a37 Trojan
Chafer d4dcbfbab036132eb6c40c56a44c0d3b4b681b19841b81fc4f8e1d62ea5b211d Alias: Dntxdoor
Chafer caa841e4809efdfb3be1de588d74ccf32a96a8c1bc4108d07ade509551ce77e4 Remexi
Chafer 3ebc9890fa04b1035565d7d273f80032e811ac5e42d3aa1dafe6e33b6572f8cb Remexi
Chafer 2802ad7e910e4ef647b93f11b3f4a5ec465a0abf16c542884442c70555ca8352 Mini_rsocks
Crambus 3996efe9a3cf471a1f816287368fa0f99d2cdb95786530b0b61c7b9024ff717b Alias: Hisoka
Crambus db1f460f624a4c13c3004899c5d0a4c3668ba99bb1e6be7f594e965c637b6917 Alias: Sakabota
Crambus 4c68068c16e320e2dd346adfa64686a3bcd5aef98fdc0f69d5f0e82d254eacf4 Alias: Yakenzi

About the Author

Critical Attack Discovery and Intelligence Team

Symantec

The Critical Attack Discovery and Intelligence team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.