Shadowy cyber-espionage group linked to Saudi hacking attack

A space of recent cyber-attacks on Saudi companies and government institutions is possibly the work of 'Greenbug', a mysterious cyber-espionage group
3 min read
28 January, 2017
Little is known about Greenbug, a cyber-espionage group active in the Middle East [Getty]

A spate of recent cyberattacks on Saudi companies and government institutions is possibly the work of 'Greenbug', a mysterious cyber-espionage group, cyber security company Symantec has said.

Though no definitive link was established, the firm added, the nature of the disk-wiping malware used in that attack and other digital traces left during the a recent hacking episode pinpoint to the group's invovlement.

Greenbug relies on a unique, custom information-stealing remote access trojan, or RAT, known as Trojan.Ismdoor, in addition to a suite of commoditised credentials stealing hacking tools, according to a CyberScoop report.

Greenbug tends to use so-called phishing emails to infect victims. The group typically targets Middle Eastern aviation, government, investment and education organisations.

Between June and November 2016, Trojan.Ismdoor was used against multiple organisations based in the Middle East.

Little is known about Greenbug, and whether it is linked to nation states. Previous attacks on Saudi Arabia and Qatar were previously thought to be linked to Iran.

Nation states?

Little is known about Greenbug, and whether it is linked to nation states. Previous attacks on Saudi Arabia and Qatar were previously thought to be linked to Iran.

"The use and purpose [of Trojan.Ismdoor] do fit that of malware used by nation state attackers. Additionally, the information gathering conducted once the attacker is on the network also supports the types of operations seen by nation state attackers," Symantec senior threat intelligence analyst Jon DiMaggio told CyberScoop.

On Thursday, Saudi Arabia's Sadara Chemical Co said the cause of a 23 January 'network disruption' had been resolved by Symantec Corp.

"We received confirmation that our third party experts Symantec have developed and deployed the solution to what caused the network disruption," it said.

Sadara said it had contained the disruption caused by cyber attacks which hit some organisations in the kingdom on Monday.

It is not clear whether Greenbug was also responsible for previous attacks using Shamoon

Recurrent 'Shamoon' virus

On Monday, a report by Saudi state-run television indicated that 15 government agencies and private institutions had been hit by a returning cybervirus.

The state officials pointed to the return of a "Shamoon virus", which targeted various Saudi enterprises including Aramco, and Qatari natural-gas producer RasGas in 2012. It struck again in December 2016 targeting a Saudi civil aviation organisation.

Riyadh indicated that the Shamoon virus - which was previously blamed on Iran - set its latest target on Sadara, a $20 billion joint venture between Saudi Aramco and Midland, Mich.-based Dow Chemical Co.

On Monday, Sadara was forced to shut down its computer network due to the disruption.

It is not clear whether Greenbug was also linked to previous attacks using Shamoon. However, researchers told CyberScoop there is at least one case in which the two - Shamoon and Greenbug - may have been simultaneously active inside a victim's computer network.

It is possible that Greenbug - acting as the espionage arm for Shamoon - collects the necessary information needed to conduct the disk-wiping attack. One of the longstanding questions about Shamoon has been how the group deploys its signature disttrack malware because the virus requires previously stolen credentials to successfully configure and launch on a victim's network.

"The presence of Greenbug within an organisation prior to the destructive attack involving W32.Disttrack.B provides only a tentative connection to Shamoon," Symantec said on its website.

"It is possible that Greenbug played a role in some of the previously discussed campaigns against the Middle East," explained DiMaggio.

"[And] in light of our recent findings we are reviewing previous attacks [but] have not yet identified enough of a 'tie' to comfortably state that the activity is [all] from one attacker. As we obtain new information and evidence we will assess this and previous activity with more certainty."

Tags