- Special Projects
When Muks Hirani got the call to go to Saudi Arabia in November, he knew it was serious.
The Dubai-based cybersecurity consultant had heard about the re-emergence of the Shamoon virus, which an Iran-based hacker group called the Cutting Sword of Justice had used to cripple the national oil company, Saudi Aramco, in 2012.
This time, a new version of Shamoon had been unleashed against the Saudi government. As in 2012, the point wasn’t to get money, but just to do damage.
Cyber experts call viruses like Shamoon “destructive malware,” and it’s a growing menace, said Hirani, who leads incident response in the Middle East for the cyber consulting firm Mandiant.
“Usually people want money,” Hirani said. “But what if you don’t care about money? It’s all political. It’s all the big picture.”
Hirani was in Honolulu on Wednesday to share a technical case study of Mandiant’s response to Shamoon 2.0 at Shakacon IX, a trade conference for information technology security professionals. The event runs through Thursday.
Some 350 cybersecurity experts are gathered at the Waikiki Prince Hotel for the event. Sponsors and exhibitors included organizations like the National Security Agency, Booz Allen Hamilton, Hawaiian Telcom and Crowdstrike, the security firm that identified the Russian government as the source of the hack of the Democratic National Committee before the 2016 presidential election.
In addition to day-long presentations, the conference included a virtual game of Capture the Flag, a hacking contest led by a bathrobe-clad hacker and a rap music producer named Dual Core. Attendees could take a break from code hacking by picking actual padlocks in the “Lockpicking Village” overseen by the The Open Organisation of Lockpickers.
Attendees included IT and security executives and engineers from national organizations like the Amazon, Qualcomm Inc., the U.S. Navy and major local institutions like Hawaiian Electric Industries, the Hawaii Medical Service Association, the Honolulu Board of Water Supply and First Hawaiian Bank.
Presentations delved mostly into technical details only a cybersecurity engineer could understand. Hirani’s presentation, about the newest variation of what has been called the most destructive viruses ever unleashed on a private business, was one of the more accessible.
The first Shamoon destroyed some 35,000 hard drives at Saudi Aramco. Files were wiped out and replaced with an image of a burning American flag, Hirani said.
This time, he said, the files were replaced with a picture of the lifeless body of Aylan Kurdi, a 3-year-old Syrian refugee whose picture became a symbol of the refugee crisis. The latest attacks, which occurred in November and January, hit about 30 Saudi government entities and quasi-governmental organizations, Hirani said.
Coming in two waves, the attacks affected the Saudi public, as government workers in many cases had to resort to using old-fashioned paper forms and records in order to keep functioning, Hirani said.
“It causes unrest, political unrest in the nation,” Hirani told Civil Beat after his talk.
Hawaii is hardly immune to destructive malware’s cousin, ransomware, and other hacking schemes.
“Is it happening? Are we being targeted? Yes, absolutely,” said Mike Krupka, project manager for OccamSec in Honolulu, which was exhibiting its services at Shakacon.
Harlan Mattos, principal of Mattos.Tech in Honolulu, recalled a case where an employee of a Hawaii Island client opened what seemed to be tracking email from UPS. Instead, the email delivered a virus that locked up the company’s network and demanded a $300 payment to unlock it. It turned out the FBI had a code to unlock the network, Mattos said.
But damage can go beyond the initial infection, said Mattos, who provides security awareness training for computer users. “You can never trust those computers again because you don’t know what the malware left behind.”
“It’s awful,” said Loren Aquino, chief operations officer of the HI Tech Hui, a Honolulu cybersecurity firm, which was a ShakaCon sponsor. “Once they penetrate, they don’t always let you know they’re there. They could be on your system for months without you knowing.”
Marcus Masuno, systems engineer with Hawaiian Telcom, said hackers may gather information on company executives and use it later to trick other employees into sending money in a hacking trick known as a spoof.
In one local incident, Masuno said, hackers were able to obtain the schedule of the chief executive of a company. When the CEO was out of the office on jury duty, the hackers sent the company’s chief financial officer a spoof email from the CEO, asking the financial officer to wire $40,000 to a bank account. The account turned out to be overseas, and there was no way to get the money back once the executives realized they had been defrauded, Masuno said.
“These are not guys who are sitting in their mother’s basement,” Marcus Yano, chief operations officer for Hawaiian TelCom’s SystemMetrics cloud computing and datacenter unit, said of the hacking groups. “This is a multibillion-dollar business.”
But money isn’t what the makers of Shamoon are after. The same goes for a virus known as Not Petya, Hirani said, which was used mainly to attack computers in Ukraine.
While a recent virus called Wannacry was more like ransomware, asking people to send Bitcoin to unlock their networks, Not Petya was meant simply to damage.
Whether the destructive malware is coming from governments or organizations simply trying to cause political turmoil is hard to tell, Hirani said.
“I can’t say it’s this person or this country because you can never be sure,” he said.
Regardless, attacks like Shaboom 2.0 certainly sent a message to the Saudi Arabian populous.
“It made an impact the people knew about,” he said.