March 23, 2017
Protecting Against Shamoon 2 and Stonedrill: In the Crossfire of Geopolitics and Wiper Malware

At the end of January, Saudi Arabia’s telecom authority issued an alert warning about Shamoon 2, a wiper malware that hit several organizations, including three government agencies and four private sector companies. This latest attack is viewed as an evolution of the 2012 Shamoon malware that was responsible for debilitating gas giant Saudi Aramco, wiping three-quarters of its data. Saudi Arabia’s alert came over a month after the first resurgence of the new Shamoon variant, which hit Saudi civil aviation, the central bank, and other government agencies, erasing data and inflicting disruption across the country’s airports.

Shamoon 2 is not even the most sophisticated wiper malware currently targeting organizations. Stonedrill wiper malware has also been spotted in the Middle East and Europe, and is even more sophisticated in its ability to destroy infected targets as well as avoid detection and eradication. Stonedrill and Shamoon 2 wiper malware reflect escalation in technical capabilities, including the simultaneous detonation within several targets, enhanced evasion techniques, and the broader campaign style enacted over a few months at a broad range of targets. These attacks also mirror the evolving geopolitical landscape, and are increasingly employed as a response to heightened tensions between regional rivals and adversaries.  

We’ll briefly describe how Shamoon 2 and Stonedrill fit into the emerging trend of destructive attacks, as well as the status of global policy to counter these attacks. Next, we’ll get into the technical details of wiper malware, including how to catch and prevent it. In general, blocking wiper malware requires a strategy that is no different than that necessary to block other forms of digital compromise:  layered and signatureless defenses.

 

 

Destructive Attack Trends

The destructive attacks in Saudi Arabia, while still relatively rare, are by no means an anomaly. The destruction of Iranian nuclear centrifuges by the Stuxnet malware, first discovered in 2010, is largely seen as a turning point in the use of offensive digital weapons. The original variant of the Shamoon malware followed in 2012, wiping or destroying 35,000 computers. It took Saudi Aramco five months to fully return to business as usual. The Shamoon 2 malware appears to be the latest evolution in this regional rivalry. It also could be a response to the string of pipeline explosions in Iran last summer. While the Iranian government has not publicly attributed the explosions to cyber attacks, many experts believe the timing and frequency of the attacks were digitally induced.

The use of destructive malware is not limited to the Middle East. The Dark Seoul malware was part of a four-year campaign against the South Korean government, financial sector, and media. In 2013, the wiper malware erased data and permanently disabled thousands of infected computers. In late 2014, a German steel mill was the target of a cyber attack which hijacked a blast furnace, leading to a meltdown. Ukraine also has experienced digital attacks on their power grid in both 2015 and 2016, which are attributed to the BlackEnergy malware. There also is speculation that more recent variants of BlackEnergy contain KillDisk, wiper malware that may have made it more difficult to restore power. The Ukrainian and German steel mill attacks have been linked to Russia. Finally, within the US, Sony was the target of destructive malware stemming from North Korea, which rendered thousands of computers inoperable and caused enormous business disruption. The US was also the target of a failed attempt to take control of and damage the Rye, NY dam. This failed attack was linked to the larger Iranian campaign on financial institutions, which led to the indictments of seven Iranians in 2016.

 

 

Screen Shot 2017-03-23 at 11.31.19 AM.png

 

Policy Landscape

This growing trend of destructive cyber operations has not gone unnoticed by the policy community. Over the last few years, a small group at the United Nations called the Group of Governmental Experts has led the global push for the creation of norms to halt the ongoing escalation of digital attacks across the globe. Intentionally damaging another country’s critical infrastructure during peacetime is a prominent norm that gained the most consensus. Similarly, the recently released Tallinn Manual 2.0 provides a consolidated overview of how current international law pertains to cyberspace. Written by nineteen international law experts, the manual’s first rule is that, “A State may exercise control over cyber infrastructure and activity within its sovereign territory.”

A key aspect of the revised Tallinn Manual is the emphasis on those digital activities that fall short of war, which is largely distinguished by the Law of Armed Conflict. Too often these are confounded, and international frameworks pertaining to cyberspace largely emphasize appropriate behavior in peacetime. But which activities constitute an act of war and what is acceptable in peacetime? For the most part, this remains vague. For instance, NATO’s Article V now includes digital attacks as capable of triggering collective security, but it is unclear what those triggering events would be. The US Law of War Manual is indicative of the current state of policy, and leans on any activity whose effect would be perceived as an act of war under more ‘traditional’ kinetic activities would similarly be perceived as an act of war if achieved through digital means. Additional clarity is needed, and the policy and legal frameworks must rapidly evolve to address the emerging use of destructive malware before some global event renders much of these discussions obsolete. 

 

What is Wiper Malware?

Destructive cyber attacks can take several forms, and not all of them integrate wiper malware. However, as the latest Shamoon and Stonedrill variants demonstrate, wiper malware is among the most straightforward for attackers to achieve destructive effects.  It is far easier to reliably destroy data on a hard drive than to create predictable effects such as power outages and pipeline explosions in the physical world via compromised computers.  While reliable prevention of cyber attacks against the power grid may require very specific tools, skills, and analysis such as detecting modified programmable logic controller (PLC)  firmware, defenses which prevent wiper malware without requiring any specific prior knowledge of an attack are within the reach of all organizations.  

Wiper malware is similar to file-encrypting ransomware, as each have a similar intent of preventing the ability to read or recover critical data.  In the case of ransomware, the malicious action can often be reversed once the user pays for the cryptographic key or recovers the key through other means such as reverse engineering.  But with wiper malware, the damage is irreversible.  Data is usually overwritten or encrypted, sometimes offering the operator configuration options to select the desired effect. For example, Shamoon 2 offers an encryption mode and an overwrite mode, either encrypting files or alternatively overwriting them with an image of a dead Syrian refugee child.  Shamoon 2 (as well as the original variant) also includes a raw disk access driver to allow the malware to modify the partition table and Master Boot Record to create further damage.  

Detection and prevention of wiper malware should not focus on the end effect.  Wiper malware has a similar attack lifecycle to other categories of malware.  Similar techniques are used to deploy code to systems, evade defenses, and persist.  This provides many points for detection and prevention, just like other types of malicious cyber activity.

 

Protection against Destructive Attacks

Our signature-less, layered preventions stop both Shamoon 2 and Stonedrill without specific tuning, signature creation, or any prior knowledge about the malware and its behaviors. The latest version of Endgame’s MalwareScore immediately designates the initially loaded Shamoon 2 binary as malware, preventing the attack at its outset.  In other words, Shamoon 2 would be detected when dropped to disk, execution would be prevented, and the destructive attack averted.  

But, malware won’t always be used and some malware will evade even the best signatureless malware detection product.  Layered defenses are necessary safeguards for high confidence detection and prevention. The initial Shamoon 2 malware extracts two other files to c:\windows\system32 and immediately runs them.  Each will also be detected by MalwareScore. However, even if Shamoon 2 previously infected a system before Endgame was deployed, or if MalwareScore was inactive or failed, Shamoon 2 would still be discovered.  The clearest place this stands out is via Endgame’s malicious persistence detection, which depicts the Shamoon 2 malware as a very suspicious file waiting for the prescribed attack time.  As we’ve discussed before, hunting for persistence is one of the best ways to find resident malware, including wiper malware, which persists as a scheduled task on compromised systems.  

While Shamoon 2 is higher profile, Stonedrill actually incorporates more advanced evasion techniques which, for Endgame, offer additional opportunities for detection.  As with Shamoon 2, Endgame’s prevention layer with MalwareScore would block the initial loader malware.  Even if we allow execution, as with Shamoon 2, Endgame would still easily spot, block, and remediate Stonedrill before damage occurs. After allowing this bypass, the malware spawns several versions of two additional malicious files via Windows Management Instrumentation. The malware then injects into the system’s default web browser to hide from file-based preventions, a fast growing technique to evade defenses. In this case, Endgame’s prevention blocks the injection.  Additionally, even if Endgame came into the compromised environment after the injection, our fileless attack detection capability would catch the in-memory injection in seconds.  Finally, we wanted to see what would happen if we intentionally let the attack get to the point of initiating destruction. Our behavioral ransomware protection capability provided a final point of prevention. Our behavioral ransomware protection detects Stonedrill’s destructive activity as resembling ransomware activity in real-time, stopping it immediately after it begins but before significant damage occurs.  

The video below demonstrates how Endgame’s layered approach catches both Shamoon 2 and Stonedrill, even post-compromise, to prevent destruction.  

 

 

Different Effects, Same Prevention

While destructive attacks - especially those on power grids and other critical infrastructure - are rare, the what-if scenarios of destructive malware are no longer theoretical. Shamoon 2 and Stonedrill demonstrate the application of wiper malware integrated into a larger strategy as geopolitical tensions rise.  Shamoon 2 has had destructive effects within Saudi Arabia, and now both Shamoon 2 and Stonedrill are spreading beyond the Middle East and into Europe.

This emergence of destructive malware occurs simultaneously with rising geopolitical tensions between major powers and within regional rivalries. As states seek greater capabilities and new means to achieve their objectives, destructive malware has proven effective as a response to growing tensions, while remaining short of war. The pace of diffusion of destructive malware is likely to far exceed the pace of global policy change and embedded norms, which currently have little impact on its propagation.

Fortunately, Endgame’s approach to protection demonstrates that our layered and signatureless defenses against non-destructive forms of cyber intrusion also prove capable of stopping these latest and most sophisticated forms of wiper malware. Organizations, especially those within these geopolitical hot spots, should heed these latest warnings about Shamoon 2 and Stonedrill, while understanding that it does not take nation-state resources and capabilities to stop them.