[BreachExchange] Saipem says Shamoon variant crippled hundreds of computers

Thu Dec 13 01:29:54 EST 2018

https://www.yahoo.com/news/shamoon-computer-virus-variant-lead-suspect-hack-oil-175913314--finance.html

MILAN/NEW YORK (Reuters) - A hack on Italian oil services firm Saipem
that crippled more than 300 of the company's computers used a variant
of the notorious Shamoon virus, Saipem said, a development that links
the case to a massive attack in 2012 on Saudi Aramco.

"The cyber attack hit servers based in the Middle East, India,
Aberdeen and in a limited way Italy through a variant of Shamoon
malware," the company said in a statement on Wednesday.

Work is under way "in a gradual and controlled manner" to fully
restore operations after the attack, it said.

The Shamoon virus was used in some of the most damaging cyber attacks
in history, starting in 2012 when it crippled tens of thousands of
computers at Saudi Aramco and RasGas Co Ltd in the Middle East -
attacks that cybersecurity researchers said were conducted on behalf
of Iran.

Saudi Aramco is Saipem's biggest customer.

The attack crippled between 300 and 400 servers and up to 100 personal
computers out of a total of about 4,000 Saipem machines, the company's
head of digital and innovation, Mauro Piasere, told Reuters.

No data will be lost because the company had backed up the affected
computers, he said. The company said it first identified the attack on
Monday.

Piasere said the company does not know who was responsible for the attack.

However, Adam Meyers, vice president with U.S. cybersecurity firm
CrowdStrike, said he believed Iran was responsible because early
technical analysis of the new Shamoon variant showed similarities to
the 2012 campaign.

Shamoon disables computers by overwriting a file known as the master
boot record, making it impossible for devices to start up. Former U.S.
Defense Secretary Leon Panetta has said the 2012 hack of Saudi Aramco
was probably the most destructive cyber attack on a private business.

Shamoon went dormant until it resurfaced in late 2016 in a series of
Middle East attacks that continued through early 2017.

"It went dark for a long time and it seems to be back," said Eric
Chien, senior researcher at cybersecurity firm Symantec. "The question
is whether any others were affected by it."

Security researchers widely believe that people working on behalf of
the Iranian government were behind previous Shamoon attacks, which
Tehran strongly denies. Anti-U.S. imagery was found in the code,
researchers have said.

Officials in Iran could not be reached for comment.

Saipem, one of the world's largest subsea engineering and construction
firms, is controlled by Italian state lender CDP and oil firm Eni .