Data Wiping Malware hits Bahrain’s national oil company

January 14, 2020

On December 29, 2019, the National Cybersecurity Authority of Saudi Arabia published a new cyber-attack incident describing software that was deployed to target Bapco, the national oil company of Bahrain specifically.

The malware, dubbed as “Dustman”, is a data-wiper, designed to access a computer, a database, or a server/mainframe, delete its data, and replace the deleted data with junk, or similar data but with properties that do not hold any importance.

This is the third data-wiping malware being linked to Iran, succeeding Shamoon(developed in 2012, also known as Disttrack, infamous for wiping more than 32,000 PCs at the Saudi Aramco oil company) and its two latter versions, V2 and V3; and ZeroCleare, which were developed in 2019, and discovered on the dark web.

All three strains contain EldoS RawDisk, a software toolkit designed to interact with files, disks, and partitions to gain admin-level access and then unpack and launch itself to wipe the data on infected hosts.

Dustman is very similar to ZeroCleare, but with two significant differences. Dustman executes all its functions using one file instead of ZeroCleare’s two, and Dustman overwrites the volume with different data, while ZeroCleare deletes it first then writes junk data onto it.

This malware is not designed to acquire data for future use but is designed to create holes in otherwise fully functional systems.

This attack has been linked to the Iranian regime since they deploy similar methods, most notably the software and core execution. Similarly, these Iranian hackers have targeted the oil and gas industry in the past.

Bapco was attacked mainly through some acquired enterprise-grade VPN servers which have been infected prior to the acquisition, then the commands were executed remotely, as confirmed by Saudi CNA officials. This took place in the summer and was only performed very recently, in which the timing may or may not be linked to the current state of US-Iran relations, as well as the involvement of other countries. However, this could not be confirmed, as the Saudi CNA, as well as Bapco officials, could not link the attack to the Iranian hackers nor the regime in Tehran, due to lack of concrete evidence.

This has raised several alarms here in iZOOlogic, as many of our clients are part of the industry in the same region. As such, we have started to develop countermeasures to these malware attacks and are working on ways to improve our detection methods. As we all know, these attacks evolve and improve upon themselves, so it is our responsibility to put up defenses akin to better protect against these evolved attacks.

The tensions between the western superpower and the Middle East have put us on high alert, and this has caused a ‘mutation’ of sorts to adapt to these sudden and intense requirements. Not only do we find new ways of providing protection, but we have also improved upon existing ones.

Oil and gas remain the mainstay of the region of any industry to such targeted attacks are quite nefarious.

About the author

Leave a Reply