There's a link between the Shamoon worm and the malware attack on the Saudi Aramco oil company last week, and the link is a preset timestamp, says Kaspersky Lab,.
Meanwhile, a threat has been made against the state-owned Saudi oil company promising further attacks Saturday (Aug. 25).
Last Wednesday (Aug. 15), Saudi Aramco said it had suffered a crippling malware attack that had forced it to take all its computers offline.
That same day, a previously unknown group calling itself "Cutting Sword of Justice" posted a text file to Pastebin claiming responsibility for the Aramco attack.
"We penetrated a system of Aramco company by using the hacked systems in several countries and then sended a malicious virus to destroy thirty thousand computers networked in this company," read the post. "The destruction operations began on Wednesday, Aug 15, 2012 at 11:08 a.m. (local time in Saudi Arabia) and will be completed within a few hours."
The following day, Russia's Kaspersky Lab, the Israeli security firm Seculert and California-based Symantec all revealed the discovery of Shamoon, an extremely destructive piece of malware found in the Middle East.
Unlike most pieces of malware, which attempt to operate without detection, Shamoon sets out to completely erase and destroy the infected computer once it has transmitted a file list to a mysterious server.
Coincidence or not?
Dissecting the source code of Shamoon, Kaspersky's researchers found something interesting.
"The dropper determines whether a specified date has come or not," wrote Kaspersky's Dmitry Tarakanov in a blog posting Tuesday. "The hardcoded date is 15th August 2012 08:08 UTC" — 11:08 a.m. in Saudi Arabia.
"I think we can confirm that #Shamoon kill-timer was the same (08:08 UTC) as was announced in anons statement here," tweeted Kaspersky Chief Security Expert Aleks Gostev yesterday, referring to the Pastebin posting.
Saudi Aramco has not commented on what caused it to take all its computers offline last Wednesday. Kaspersky has not flat-out stated that Shamoon was the cause, and nor have Symantec or Seculert.
"The timing and malware behavior look the same, but this is not hard evidence," Seculert co-founder and chief technology officer Aviv Raff told the Dark Reading security blog. "Also, the IP address, 10.1.252.19, we saw in the malware samples we analyzed is not in the list on the Pastebin [post]."
Persian mirrors
Jeffrey Carr, CEO of Taia Global, a self-described "boutique security firm" based in northern Virginia, believes the culprit might be a bigger fish: Iran, which is suffering economically under American and European oil sanctions tied to Iran's nuclear program.
"I've heard speculation from more than one source in Saudi Arabia that the malware attack against Saudi Aramco's network was an Iranian operation to discourage Saudi Aramco from increasing its oil production," wrote in a blog posting.
"Iran has been known to use its indigenous hacker population to run state-sponsored attacks in the past," Carr added.
The notion that Shamoon was created by amateurs is something Kaspersky would likely agree with. There seems to be a clumsy error in the way the preset timestamp in the Shamoon code works.
"It seems that the function to check the date works incorrectly. If the intention is to divide the timeline into 'before' and 'after' a particular checkpoint, then the author has failed," Tarakanov wrote in yesterday's blog posting. "Experienced programmers would hardly be expected to mess up a date comparison routine."
But Gostev played down the possibility of an Iranian link, citing a folder named "ArabianGulf" in the Shamoon source code.
"I've heard some rumours about Iranian origin of #Shamoon attack," tweeted Gostev today. "But as I know, Iranians *never* say 'Arabian Gulf,' always Persian Gulf."
Tick tock
In any case, researchers may soon have more to work with.
"Saudi Aramco is thinking that the 15 Aug. attack was done by us but with a man in the middle helping us with different kind of info and that's the reason why the head management of Aramco is still investigating," read a Pastebin posting put up early today (Aug. 23).
"What we're going to do to prove our ability to do more?" asked the writer. "We are going to make it, next week, once again, and you will not be able by 1% to stop us."
He then gave a date and time of Saturday, Aug. 25, 21:00 GMT, which is midnight in Saudi Arabia and 5 p.m. Eastern time in the U.S.
"That will happen for two reasons," added the poster. "1- you're brutal and selfish to harm any employee just for the sake of expecting. 2- we do hate, hate a lot, arrogance."