Tag Archives: duqu virus

Who is Afraid of Shamoon? How to Wipe a Country Off the Face of the Earth

Suspected Iranian hackers infiltrated critical infrastructure and government computers in the Persian Gulf nation of Bahrain in July-August  2019, raising fears among leaders in the region that Tehran is stepping up its cyberattacks amid growing tensions…Hackers broke into the systems of Bahrain’s National Security Agency—the country’s main criminal investigative authority—as well as the Ministry of Interior and the first deputy prime minister’s office, according to one of the people familiar with the matter.

On July 25, 2019 Bahrain authorities identified intrusions into its Electricity and Water Authority. The hackers shut down several systems in what the authorities believed was a test run of Iran’s capability to disrupt the country, the person said. “They had command and control of some of the systems,” the person said.  The breaches appeared broadly similar to two hacks in 2012 that knocked Qatar’s natural-gas firm RasGas offline and wiped data from computer hard drives belonging to Saudi Arabia’s Aramco national oil company, a devastating attack that relied on a powerful virus known as Shamoon.  Bahrain is the smallest country in the Persian Gulf, but it is strategically important because it’s the permanent home of the U.S. Navy’s Fifth Fleet and Navy Central Command. It is closely allied with its much larger neighbor, Saudi Arabia, a regional rival of Iran.

The Bahrain authorities haven’t definitively attributed the attack to Iran, but they have been provided intelligence by the U.S. and others suggesting Iran is behind it, the people familiar with the matter said….“In the first half of 2019, the Information & eGovernment Authority successfully intercepted over 6 million attacks and over 830,000 malicious emails. The attempted attacks did not result in downtime or disruption of government services,” 

Excerpt from High-Level Cyber Intrusions Hit Bahrain Amid Tensions With Iran, WSJ, Aug. 7, 2019

CyberWeapons: Regin Malware

An advanced piece of malware, newly uncovered, has been in use since as early as 2008 to spy on governments, companies and individuals, Symantec said in a report .  The Regin cyberespionage tool uses several stealth features to avoid detection, a characteristic that required a significant investment of time and resources and that suggests it’s the product of a nation-state, Symantec warned, without hazarding a guess about which country might be behind it. The malware’s design makes it highly suited for long-term mass surveillance, according to the maker of antivirus software…

The highly customizable nature of Regin, which Symantec labeled a “top-tier espionage tool,” allows for a wide range of remote access Trojan capabilities, including password and data theft, hijacking the mouse’s point-and-click functions, and capturing screenshots from infected computers. Other infections were identified monitoring network traffic and analyzing email from Exchange databases….

The malware’s targets are geographically diverse, Symantec said, observing more than half of the infections in Russia and Saudi Arabia. Among the other countries targeted are Ireland, Mexico and India. [ Regin have been identified also in Afghanistan, Algeria, Belgium, Brazil, Fiji, Germany,Indonesia, Iran, Kiribati, Malaysia, Pakistan, Syria]

Regin is composed of five attack stages that are hidden and encrypted, with the exception of the first stage, which begins a domino chain of decrypting and executing the next stage. Each individual stage contains little information about malware’s structure. All five stages had to be acquired to analyze the threat posed by the malware.  The multistage architecture of Regin, Symantec said, is reminiscent of Stuxnet, a sophisticated computer virus discovered attacking a nuclear enrichment facility in Iran in 2010, and Duqu, which has identical code to Stuxnet but which appeared designed for cyber espionage instead of sabotage.  Symantec said it believes that many components of Regin remain undiscovered and that additional functionality and versions may exist.  “Regin uses a modular approach,” Symantec said, “giving flexibility to the threat operators as they can load custom features tailored to individual targets when required.”

Excerpt from Steven Musil Stealthy Regin malware is a ‘top-tier espionage tool’, CNET, Nov. 23, 2014