The recent cyber attacks targeting the Middle East servers of UK-based Petrofac and Italian firm Saipem could be state-sponsored, a threat researcher tells MEED.

“Based on our analysis, there are indications that the attacks are quite possibly state-sponsored,” says Dick O’Brien, threat researcher at US-based Symantec.

While the latest attacks originated from a server in Chennai in India, O’Brien said it is likely that the perpetrators only managed to stage the attack from that vulnerable server; and that the perpetrators’ actual origin will never be determined.

The executive also said that it is extremely difficult to determine the factors that contributed to the latest resurgence of the Shamoon virus although the motives of whoever is behind the attacks are clear. “They want to cause a major disruption to the targets,” O’Brien explains.

“It is hard to read into it too much, but clearly disruption is the main goal… a lot of work is required to restore computers and back-ups.”

State-sponsored threat is a term describing government support of a non-state entity to conduct acts of terrorism, which include cyber attacks.

Symantec said in a report on 18 December that the cyber attacks used a deadlier version of Shamoon malware, which wiped out thousands of disks at oil giant Saudi Aramco in 2012.

The latest re-emergence of the virus, last detected in 2016, involves a new wiper, Trojan.Filerase, that deletes files from infected computers before the Shamoon malware wipes the master boot record.

“[Trojan.Filerase] will delete and overwrite files on the infected computer. Shamoon itself will meanwhile erase the master boot record of the computer, rendering it unusable,” Symantec said.

“While a computer infected by Shamoon could be unusable, files on the hard disk may be forensically recoverable. However, if the files are first wiped by the Filerase malware, recovery becomes impossible.”

According to Symantec, one of the new Shamoon victims, an organisation based in Saudi Arabia, was recently also attacked by another group Symantec calls Elfin (APT33), after being infected with the Stonedrill malware (Trojan.Stonedrill).

“There were additional attacks against this organisation in 2018 that may have been related to Elfin or could have been the work of yet another group,” Symantec said.

The firm added that the proximity of the Elfin and the Shamoon attacks against this organisation means it is possible the two incidents are linked.

Both Saipem and Petrofac have said they did not sustain any data loss from the cyber attacks, which MEED understands is possible only if they managed to back-up all important files right before the attack was staged.