Shamoon is back; hits Saudi Arabian aviation agency

Shamoon malware is back with a new variant and a massive attack on the Saudi Arabian General Authority of Civil Aviation (GACA). Once the attack was detected, GACA isolated the infected devices from the main network.

The government confirmed the breaches last Thursday, assuring citizens that “none of the air navigational system, or any major networks in any of our airports, this include our human resources, and financial system, or aviation permits and security badge systems and other airport support and operation businesses was effected.”

The Saudi Arabian aviation agency is not the only victim of the Disttrack wiper malware, also known as Shamoon. Saudi Aramco, the national oil company and other governmental agencies and sectors have been targeted in the past. The attack on Saudi Aramco from 2012 was allegedly claimed by hacker group Cutting Sword of Justice.

Detected in 2012, the original malware would completely wipe the infected drive, displaying an image of a US flag in flames at the end. The new variant has replaced the image with one of the three-year old Syrian refugee boy who drowned.

Shamoon attacks have been planned on either the first day of the Saudi Arabian weekend (Thursday) or on a Muslim holiday to allow the malware to spread through the infrastructure. GACA has joined forces with the National Center for Cyber Security for further investigations, but so far digital evidence allegedly shows the attacks emerged from Iran, Bloomberg reports.