Channel Post Speaks with Ravi Patil, Technical Director at Trend Micro, on the wave of terror that Shamoon has left in its wake.
Channel Post (CP): How would you define the security landscape in this region post Shamoon2?
Ravi Patil (RP): When Shamoon resurfaced on November 12, 2016 and then again on January 23, 2017, it resulted in increase in spam and ransomware attacks in the region, especially in Saudi Arabia.
CP: Would you say that Shamoon was a case of cyberterrorism?
RP: Yes, Shamoon was definitely a case of cyberterrorism because there was no data theft in these attacks and was meant to cripple the network. It was a targeted attack on selective websites intended to bring down the system for a period of time and wipe data from the hard disk.
To undertake such an attack, the attackers hacked into the system to gain access of the admin credentials before launching the malware payload. Once the attack is activated, Shamoon acts like a time bomb that is set to explode at specific times. This is also the reason why two Shamoon attacks happened at such short intervals, since the aim was not monetary gain but indiscriminate deletion of data to disrupt networks and bring them down at different times.
CP: Were the attacks of November 2016 and January 2017 related?
RP: Yes, in layman terms they were the same since there was only a slight technical modification in terms of the malware.
CP: Is there any way to quantify number of attacks and what kind of losses have occurred because of these attacks?
RP: In general, we do not have any specific methods to quantify the number of attacks and rely on our customers to inform us. We can confirm that at least four petrochemical companies, two government sector organizations and several private sector organizations have been affected by the attack. Several organizations had to shut down their infrastructure for about 48 hours to avoid being affected and only brought them online after confirming that the systems were clean of the malware.
CP: Who are the major targets for such attacks? In other words, which verticals are more prone?
RP: Usually, if an attack is politically motivated then the Government sector is targeted but in general, the financial sector is more prone to such attacks. If we talk about the recent Shamoon 2 attacks, only the Government sector was attacked in November 2016, however, in January 2017, it was a combination of companies that provide services to Government agencies or are jointly owned by the public and private sector.
CP: How can organisations safeguard themselves against such threats?
RP: To ensure that organisations are protected, the first measure is a very basic one – to have secure passwords and to change them regularly. Also, for the network to stay secure it is imperative that they use the latest security products to analyse and detect malware issues.
CP: In this region many organisations are not very forthcoming in declaring that they have been breached or their customer’s personal data has been compromised? Are there any talks with the government to ensure that laws are in place to combat this?
RP: This region is still in its infancy when it comes to security practices but the recent attacks have compelled organisations to become more forthcoming in declaring a breach or attack. Also, the governments of many countries are working to ensure that there is complete transparency in such an occurrence.