Skip to main content

Iran-linked virus suspected in cyber-attack on Saudi government

Shamoon virus hit government computers last month - it was last used four years ago by hackers believed to be working for Iran
Experts say the virus used in November's attack is 'highly destructive' (AFP)

A destructive virus that four years ago crippled tens of thousands of computers at Middle Eastern energy firms has been used again to attack computers in Saudi Arabia, according to US security firms.

US security companies CrowdStrike, Palo Alto Networks Inc and Symantec on Wednesday said a new version of the "Shamoon" virus attacked Saudi government computers, which Riyadh said hit the kingdom's transport sector.

The attack originated outside the country and was one of "several ongoing cyber-attacks targeting government authorities", the interior ministry said.

Shamoon cripples computers by wiping their master boot records that they use to start up.

The reappearance of the virus is significant as there have only been a handful of other high-profile attacks involving disk-wiping malware, including on Saudi firms Aramco and RasGas in 2012, which CrowdStrike linked to hackers working on behalf of the Iranian government.

It is too early to say whether the same group was behind the new attack, the firm said.

Tehran has been investing heavily in its cyber capabilities since 2010, when its nuclear programme was hit by the Stuxnet computer virus, widely believed to have been launched by the United States and Israel.

The motive behind the recent attacks was also not immediately clear.

The Saudi statement did not give further details of the identity of the attackers or the damage inflicted, beyond saying the virus aimed to disrupt servers and plant malicious software in computer systems.

"Why Shamoon has suddenly returned again after four years is unknown," the Symantec Security Response team said on its blog. "However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice."

The malware triggered the disk-wiping to begin at 8.45pm on 17 November, according to the security firms.

The Saudi business week ends on Thursday, so it appears to have been timed to begin after staff left for the weekend to reduce the chance of discovery and allow maximum damage.

"The malware had potentially the entire weekend to spread," Palo Alto researcher Robert Falcone said in a blog post.