Shamoon is destructive malware designed to overwrite and wipe targeted files, rendering infected systems unusable. The malware was named after a string of code found within the software. This malware exemplifies a trend of increasingly aggressive and damaging cyberattacks on critical infrastructure and industry.
A Shamoon infection can lead to significant data loss, as it destroys the data and the master boot record, resulting in extended downtime for the affected systems. Shamoon spreads across networks: once it infects a single computer, it can move laterally to other machines, significantly increasing the scale of the damage.
History of Shamoon
- Saudi Aramco and RasGas Attacks in 2012. The Shamoon malware first came to light in a major cyberattack against Saudi Aramco, the national oil company of Saudi Arabia, in August 2012. The attack wiped the data from about 35,000 computers, replacing it with an image of a burning American flag. Shortly after, a similar attack was conducted against RasGas, a Qatari natural gas company.
- Saudi Arabia Attacks in 2016-2017. Shamoon resurfaced in November 2016 in a series of attacks on multiple targets in Saudi Arabia. These attacks included a variant of Shamoon known as Shamoon 2.0, which had additional features, including the ability to manually trigger the disk-wiping functionality.
- Italian Oil Company Attack in 2018. A Shamoon variant was used in December 2018 in an attack against Saipem, an Italian oil and gas industry contractor. The attack affected servers in the Middle East, India, Scotland, and Italy.