Posted on January 9, 2020 at 5:44 PM
Bahrain’s National Oil Company, Bapco, Hit by New Iranian Malware
A group of Iranian hackers, who are reportedly sponsored by the Iranian government, planted malware on the systems of Bahrain’s national oil company, Bapco. The attackers infiltrated the system on Dec. 29 but they were not able to get a major stronghold on the system. Even after the malware infiltration, Bapco was still able to run and operate most of its systems.
The cyberattack was the same announced by the National Security Authority of Saudi Arabia last week. When it happened, the Saudi authorities informed other local firms in the energy market to fortify their systems and maintain secured portals.
This news of cyberattack is coming at the time the US and Iran are facing-off due to political tensions between the countries. Cybersecurity researchers are still looking at different angles Iran may retaliate over the killing of its general by an American drone.
Dustman malware responsible for the attack
Reports by the Saudi Security Authorities revealed that the Dustman malware was used in the attack on Bapco. Based on the report, the Dustman works a bit differently from other malware. It was specifically developed to infect systems and delete the data on the infected systems once it’s executed. The malware is now the third data-wiping malware that has been linked to the Iranian government, particularly the Tehran regime.
The malware strains make use of different techniques and exploits to raise their access to the systems to the admin-level. From there, they can unleash the strains via the EldoS RawDisk protocol to wipe data from the systems.
Although the Saudi officials said the Dustman malware is an advanced version of the ZeroCleare, it has two major differences. While ZeroCleare wipes a volume, Dustman overwrites the entire volume and replaces it with garbage data. Secondly, while ZeroCleare destructs and executes on two files, Dustman’s destructive ability is only executed in one file.
BAPCO a perfect target for Iranian Hackers
According to security researchers, the cyber-attack on Bapco by the Iranian hackers is in line with the attackers’ operational methods. Even before the December 29 attack, history has shown that the hackers have always used the ZeroCleare and Shamoon malware only on oil and gas companies. Most of the attacks pinned to the malware are all linked to either government or private-owned oil and gas companies.
Saudi and Iran also in strain relationship
The hackers have previously attacked Saudi Arabia’s national oil company and oil companies linked with Saudi Aramco.
Saudi and Iran have not had the best of relationships since the 1970s, because of the competition on the oil export market as well as their divergent interpretation of the Islamic laws.
And the attack on Bapco is evidence of such strained relationships. The company is completely owned by the Bahrain regime, which has a strong partnership with Saudi Aramco.
Incident may not be connected to US-Iran faceoff
Based on the time and place the attack occurred, there may be little connection between the Bapco incident and the present Iranian-US political tension. However, it points out that Iran has sophisticated technology to successfully launch highly intelligent cyber attacks. Over the weekend, the U.S. Department of Homeland Security informed companies and industries to intensify efforts to protect their system.
Iran has strains of data-wiping malware
The first data-wiping malware Iran developed was the Shamoon malware, which showed up back in 2012. When it was created, the attackers used it to delete data from more than 32,000 systems in Saudi’s Aramco oil company. Till date, that attack is still one of the most notorious cyber-attacks in world history.
Later, the hackers introduced two more versions of the malware, the Shamoon v2 and Shamoon v3. The second malware was between 2016 and 2018 while the third was used between 2018 and 2019.
Other data-wiping malware variations still exist
IBMX-Force published a report recently, stating that there are other data-wiping malware linked with these Iranian attackers over the years. There is a recent one known as ZeroCleare, which was first noticed in September last year.
According to Saudi security officials, the Dustman malware is a more advanced and sophisticated version of the ZeroCleare data-wiper. It has a variety of codes similar to the first malware discovered last September.
The security group said EldoS RawDisk is the main component the hackers used to interact with partitions, disks, and files among the three strains of malware.