Saudi Arabia’s central bank has reportedly been hit with the destructive disk-wiping malware called Shamoon that affected multiple government entities’ computer networks over the past two weeks. Bloomberg reports that an investigation into the breach, which is still in its early stages, is currently underway, citing two anonymous sources briefed on the investigation.
However, the country’s central bank – known as the Saudi Arabian Monetary Agency – reportedly said in a statement issued that its systems had not been breached, adding it is continuously monitoring to safeguard its systems against cyberattacks, the publication reports.
The sources said that the cyber attacks, which targeted various other government entities in Saudi Arabia, used the powerful Iran-linked malware. Another source told Bloomberg that the number of agencies affected will likely increase as the investigation continues.
This week, officials and security experts said that Saudi Arabia’s aviation regulator, the General Authority of Civil Aviation, was targeted by a version of the powerful Iran-linked malware in mid-November in a “carefully planned” attack that wiped out “critical data and bringing operations there to a halt for several days.”
State-run Saudi state news agency SPA reported on Thursday that the attack seemed to emanate outside the Gulf country and was one of “several ongoing cyberattacks targeting government authorities,” citing the National Cyber Security Center, Reuters reports. However, it did not specify the agencies targeted or when the new wave of attacks began.
Multiple security firms including Symantec, CrowdStrike, FireEye and Palo Alto Networks also warned of last month’s attacks on Thursday as well. Bloomberg cited two unidentified sources that said state-sponsored hackers were responsible for the attacks, adding that digital evidence suggested they originated from Iran.
Back in 2012, the deadly malware was used in attacks targeting Saudi Aramco and other energy companies and wiped out hard drives and left behind images of a burning US flag on the affected machines. In the latest Shamoon attacks, hackers left the image of the body of three-year-old Syrian refugee Aylan Kurdi whose drowned body was found on a beach in Turkey last year.
“The attackers appear to have done a significant amount of preparatory work for the operation,” the Symantec Security Response team wrote on its blog. “The malware was configured with passwords that appear to have been stolen from the targeted organizations and were likely used to allow the threat to spread across a targeted organization’s network. How the attackers obtained the stolen credentials is unknown.”
Multiple security firms noted that the malware triggered the disk-wiping to commence at 8:45PM local time on Thursday (17 November), which is the end of the Saudi business week, in order to avoid discovery and inflict maximum damage.
“Why Shamoon has suddenly returned again after four years is unknown. However, with its highly destructive payload, it is clear that the attackers want their targets to sit up and take notice,” the blog read.
The attack is also the latest in a slew of cyberattacks targeting the financial sector. On Friday, the Russian central bank confirmed that hackers stole 2 billion rubles (over $31m) from correspondent accounts. In February, cybercriminals swiped $81m from the central bank of Bangladesh by targeting its access to the global bank messaging service, Swift.