The latest attack follows on the heels of an earlier incident in mid-November 2016. The earliest known instance was recorded in 2012, when tens of thousands of computers were compromised. Since then, Mandiant, a FireEye company, has responded to multiple incidents at other organizations in the region, including the latest incident in Saudi Arabia, which was initially detected two days ago.
“Mandiant has responded to several Shamoon 2.0 related incidents in the region and it is clear that this campaign, which started 4 months ago, has no ending in sight,” said Stuart Davis, Director for the Middle East and Africa at Mandiant. “We urge Government and Oil & Gas organizations at this point to implement controls that could limit the damage of Shamoon2.0 malware.”
In light of these attacks, it is strongly recommended that critical infrastructure organizations and government agencies (especially those in the GCC region) continue to regularly review and test disaster recovery plans for critical systems within their environment.
In the event of a breach, client-to-client communication should be stopped, so as to slow down the spread of the malware.
The credentials of all privileged accounts should be changed and local administrator passwords per system should be unique.
In the longer term, it’s imperative that organizations have the technology, threat intelligence and expertise to detect and respond to previously unknown attacks.