This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Iranian group suspected of hacking Saudi aviation and petrochemical industries

22 September 2017

A new report by FireEye, a cybersecurity firm, claims that a group of hackers targeting the aviation and petrochemical industries in Saudi Arabia, the US and South Korea, is suspected of working in Iran for its government. Stuart Davis, a director at one of FireEye's subsidiaries, briefed journalists on the report in Dubai on September 20.

Stock image
Stock image

The report said the suspected Iranian hackers left behind a new type of malware that could have been used to destroy the computers it infected, similar to two other Iran-attributed cyberattacks targeting Saudi Arabia in 2012 and 2016 that destroyed systems.

FireEye said the hackers used phishing email attacks with fake job opportunities to gain access to the companies affected, faking domain names to make it look like the messages came from Boeing or other defence contractors.

The hackers remained inside of the systems of those affected for "four to six months" at a time, able to steal data and leaving behind the malware that FireEye refers to as Shapeshift. The coding contains Farsi-language references, the official language of Iran, FireEye said.

There is also evidence to link the attacks to the Nasr Institute, a suspected Iranian government hacking organisation.

Iran is believed to be behind the spread of Shamoon in 2012, which hit Saudi Aramco and Qatari natural gas producer RasGas. The virus deleted hard drives and then displayed a picture of a burning American flag on computer screens. Saudi Aramco ultimately shut down its network and destroyed over 30,000 computers.

A second version of Shamoon infected Saudi government computers in late 2016, with suspicion again falling on Iran.

Contact Details and Archive...

Print this page | E-mail this page